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Abstract 

We  develop  a  definition  of  protocol  security  relying  on  game-theoretic  notions  of  implemen¬ 
tation.  We  show  that  a  natural  special  case  of  this  this  definition  is  equivalent  to  a  variant  of 
the  traditional  cryptographic  definition  of  protocol  security;  this  result  shows  that,  when  tak¬ 
ing  computation  into  account,  the  two  approaches  used  for  dealing  with  “deviating”  players  in 
two  different  communities — Nash  equilibrium  in  game  theory  and  zero-knowledge  “ simulation ” 
in  cryptography — are  intimately  related.  Other  special  cases  of  our  definition  instead  lead  to 
more  practical  protocols  and  circumvent  known  lower  bounds  with  respect  to  the  cryptographic 
notion  of  security. 
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1  Introduction 


It  is  often  simpler  to  design  and  analyze  mechanisms  when  assuming  that  players  have  access 
to  a  trusted  mediator  through  which  they  can  communicate.  However,  such  a  trusted  mediator 
can  be  hard  to  find.  A  central  question  in  both  cryptography  and  game  theory  is  investigating 
under  what  circumstances  mediators  can  be  replaced — or  implemented — by  simple  “unnrediated” 
communication  between  the  players.  There  are  some  significant  differences  between  the  approaches 
used  by  the  two  communities  to  formalize  this  question. 

The  cryptographic  notion  of  a  secure  computation  [Goldreich,  Micali,  and  Wigderson  1986] 
considers  two  types  of  players:  honest  players  and  malicious  players.  Honest  players  are  assumed 
to  faithfully  execute  the  prescribed  protocol  using  their  intended  input;  malicious  players,  on  the 
other  hand,  are  assumed  to  do  anything  in  their  power  to  undermine  the  security  of  honest  players. 
Roughly  speaking,  a  protocol  n  is  said  to  securely  implement  the  mediator  T  if  (1)  the  malicious 
players  cannot  influence  the  output  of  the  communication  phase  any  more  than  they  could  have  by 
communicating  directly  with  the  mediator;  this  is  called  correctness ,  and  (2)  the  malicious  players 
cannot  “learn”  more  than  what  can  be  efficiently  computed  from  only  the  output  of  mediator;  this 
is  called  privacy.  These  properties  are  formalized  through  the  zero-knowledge  simulation  paradigm 
[Goldwasser,  Micali,  and  Rackoff  1989]:  roughly,  we  require  that  any  “harm”  done  by  an  adversary 
in  the  protocol  execution  could  be  simulated  by  a  polynomially-bounded  Turing  machine,  called 
the  simulator,  that  communicates  only  with  the  mediator.  Three  levels  of  security  are  usually 
considered:  perfect,  statistical,  and  computational.  Perfect  security  guarantees  that  correctness  and 
privacy  hold  with  probability  1;  statistical  security  allows  for  a  “negligible”  error  probability;  and 
computational  security  considers  only  adversaries  that  can  be  implemented  by 

The  traditional  game-theoretic  notion  of  implementation  (see  [Forges  1986;  Forges  1990])  does 
not  explicitly  consider  properties  such  as  privacy  and  correctness,  but  instead  requires  that  the 
implementation  preserve  a  given  Nash  equilibrium  of  the  mediated  game.  Roughly  speaking,  the 
game-theoretic  notion  of  implementation  says  that  a  strategy  profile  a  implements  a  mediator  T 
if,  as  long  as  it  is  a  Nash  equilibrium  for  the  players  to  tell  the  mediator  their  type  and  output 
what  the  mediator  recommends,  then  if  is  a  Nash  equilibrium  in  the  “cheap  talk”  game  (where  the 
players  just  talk  to  each  other,  rather  than  talking  to  a  mediator)  that  has  the  same  distribution 
over  outputs  as  when  the  players  talk  to  the  mediator.  In  other  words,  whenever  a  set  of  parties 
have  incentives  to  tell  the  mediator  their  inputs,  they  also  have  incentives  to  honestly  use  a  using 
the  same  inputs,  and  get  the  same  distribution  over  outputs  in  both  cases. 

The  key  differences  between  the  notions  are  that  the  game-theoretic  notion  does  not  consider 
privacy  issues  and  the  cryptographic  notion  does  not  consider  incentives:  the  game-theoretic  notion 
talks  about  preserving  Nash  equilibria  (which  cannot  be  done  in  the  cryptographic  notion,  since 
there  are  no  incentives),  while  the  cryptographic  notion  talks  about  security  against  malicious 
adversaries. 

Although  the  cryptographic  notion  does  not  consider  incentives,  it  is  nonetheless  stronger  than 
the  game-theoretic  notion.  More  precisely,  the  game-theoretic  notion  of  implementation;  that  is, 
all  perfectly-secure  implementations  are  also  game-theoretic  implementations.1  A  corresponding 
implication  holds  for  statistically-  and  computationally-secure  implementations  if  we  consider  ap¬ 
propriate  variants  of  game-theoretic  implementation  that  require  only  that  running  n  is  an  e-Nash 
equilibrium,  resp.,  a  “computational”  e-Nash  equilibrium,  where  players  are  restricted  to  using 
polynomially-bounded  Turing  machines;  see  [Dodis,  Halevi,  and  Rabin  2000;  Dodis  and  Rabin 
2007;  Lepinski,  Micali,  Peikert,  and  Shelat  2004], 2 

1For  completness,  we  formalize  this  in  Proposition  4.1. 

2  [Dodis,  Halevi,  and  Rabin  2000;  Lepinski,  Micali,  Peikert,  and  Shelat  2004]  consider  only  implementations  of 
correlated  equilibrium,  but  the  same  proof  extends  to  arbitrary  mediators  as  well. 
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The  converse  implication  does  not  hold.  Since  the  traditional  game-theoretic  notion  of  im¬ 
plementation  does  not  consider  computational  cost  (indeed,  more  generally,  traditional  solution 
concepts  in  game  theory  do  not  take  computation  into  account),  it  cannot  take  into  account  is¬ 
sues  like  computational  efficiency,  or  the  computational  advantages  possibly  gained  by  using  II, 
issues  that  are  critical  in  the  cryptographic  notion.  Another  difference  is  that  the  game-theoretic 
definition  does  not  consider  coalitions  of  players. 

There  have  been  several  recent  works  that  attempt  to  bridge  these  two  notions  (e.g.,  [Abraham, 
Dolev,  Gonen,  and  Halpern  2006;  Dodis,  Halevi,  and  Rabin  2000;  Gordon  and  Katz  2006;  Halpern 
and  Teadgue  2004;  Izmalkov,  Lepinski,  and  Micali  2008;  Kol  and  Naor  2008;  Shoham  and  Tennen- 
holtz  2005])).  Most  notably,  Izmalkov,  Lepinski  and  Micali  [Izmalkov,  Lepinski,  and  Micali  2008] 
(see  also  [Kol  and  Naor  2008])  present  a  “hybrid”  definition,  where  correctness  is  defined  through 
the  game-theoretic  notion, and  privacy  through  the  zero-knowledge  paradigm.  In  other  words, 
the  privacy  part — which  is  defined  through  the  cryptographic  paradigm — recognizes  that  compu¬ 
tation  is  costly  to  players.  But  the  incentive  part — which  is  defined  through  the  game-theoretic 
paradigm — does  not.  As  a  consequence,  if  computation  is  a  costly  resource  for  the  players,  none 
of  the  earlier  definitions  provide  explicit  guarantees  about  players’  incentives  to  correctly  execute 
a  protocol  with  their  intended  input.  For  instance,  a  player  might  not  want  to  execute  a  protocol 
if  doing  so  is  too  computationally  expensive.  Similarly,  a  player  i  might  want  to  change  its  input  if 
executing  the  protocol  gives  some  other  player  j  a  computational  advantage  in  determining  player 
V s  input. 

We  suggest  a  different  approach,  based  on  the  game-theoretic  approach.  Roughly  speaking,  we 
say  that  n  implements  a  mediator  T  if  for  all  games  G — including  games  where  computation  is 
costly — that  use  T  for  which  (the  utilities  in  G  are  such  that)  it  is  an  equilibrium  for  the  players 
to  truthfully  tell  T  their  inputs,  running  n  on  the  same  set  of  inputs  (and  with  the  same  utility 
functions)  is  also  an  equilibrium  and  produces  the  same  distribution  over  outputs  as  T. 1  To  model 
games  where  computation  is  costly,  we  rely  on  (and  extend)  a  framework  we  introduced  in  a  com¬ 
panion  paper  [Halpern  and  Pass  2008],  which  generalizes  earlier  approaches  in  the  literature  (e.g., 
[Rubinstein  1986;  Ben-Sasson,  Kalai,  and  Kalai  2007]).  Roughly  speaking,  whereas  in  traditional 
games,  the  utility  of  a  player  only  depends  on  the  types  and  the  actions  of  players,  in  a  computa¬ 
tional  game,  the  players’  utilities  depend  also  on  the  complexities  of  the  strategies  of  the  players; 
the  complexity  of  a  strategy — represented  as  a  Turing  machine — could  for  instance,  represent  the 
running  time  of,  or  space  used  by,  the  machine  on  a  particular  input.  (To  provide  security  with 
respect  to  coalitions  of  players,  we  also  allow  G  to  be  a  coalitional  game  [Neumann  and  Morgenstern 
1947].) 

Note  that  by  requiring  the  implementation  to  work  for  all  games,  not  only  do  we  ensure  that 
players  have  proper  incentives  to  execute  protocols  with  their  intended  input,  even  if  they  consider 
computation  a  costly  resource,  but  we  get  the  privacy  and  correctness  requirements  “for  free” .  For 
suppose  that,  when  using  n,  some  information  about  V s  input  is  revealed  to  j.  We  consider  a 
zero-sum  game  G  where  a  player  j  gains  some  significant  utility  by  having  this  information.  In  this 
game,  i  will  not  want  to  use  n.  However,  our  notion  of  implementation  requires  that,  even  with 
the  utilities  in  G,  i  should  want  to  use  n  if  i  is  willing  to  use  the  mediator  T .  (This  argument 
depends  on  the  fact  that  we  consider  games  where  computation  is  costly;  the  fact  that  j  gains 
information  about  i’ s  input  may  mean  that  j  can  do  some  computation  faster  with  this  information 
than  without  it.)  As  a  consequence,  our  definition  gives  a  relatively  simple  (and  strong)  way  of 

3In  fact,  Izmalkov,  Lepinski,  and  Micali  [2008]  consider  an  even  stronger  notion  of  implementation,  which  they 
call  perfect  implementation.  See  Section  3  for  more  details. 

4While  the  definitions  of  implementation  in  the  game-theory  literature  (e.g.,  [Forges  1986;  Forges  1990])  do  not 
stress  the  uniformity  of  the  implementation — that  is,  the  fact  that  it  works  for  all  games — the  implementations 
provided  are  in  fact  uniform  in  this  sense. 
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formalizing  the  security  of  protocols,  relying  only  on  basic  notions  from  game  theory. 

Perhaps  surprisingly,  we  show  that,  under  weak  restrictions  on  the  utility  functions  of  the  players 
(essentially,  that  players  never  prefer  to  compute  more),  our  notion  of  implementation  is  equivalent 
to  a  variant  of  the  cryptographic  notion  of  precise  secure  computation,  recently  introduced  by  Micali 
and  Pass  [2006].  Roughly  speaking,  the  notion  of  precise  secure  computation  requires  that  any  harm 
done  by  an  adversary  in  a  protocol  execution  could  have  been  done  also  by  a  simulator,  using  the 
same  complexity  distribution  as  the  adversary.  In  contrast,  the  traditional  definition  of  secure 
computation  requires  only  that  the  simulator’s  complexity  preserves  the  worst-case  complexity  of 
the  adversary.  By  considering  specific  measures  of  complexity  (such  as  worst-case  running  time 
and  space)  we  can  obtain  a  game-theoretic  characterization  of  the  traditional  (i.e.,  “non-precise” ) 
notion  of  secure  computation. 

This  result  shows  that  the  two  approaches  used  for  dealing  with  “deviating”  players  in  two  differ¬ 
ent  communities — Nash  equilibrium  in  game  theory,  and  zero-knowledge  “ simulation ”  in  cryptography — 
are  intimately  connected;  indeed,  they  are  essentially  equivalent  in  the  context  of  implementing 
mediators,  once  we  take  the  cost  of  computation  into  account.  It  follows  immediately  from  our 
result  that  known  protocols,  such  as  those  in  [Ben-Or,  Goldwasser,  and  Wigderson  1988;  Canetti 
2001;  Goldreich,  Micali,  and  Wigderson  1987;  Izmalkov,  Lepinski,  and  Micali  2008;  Micali  and 
Pass  2006;  Micali  and  Pass  2007],  satisfy  our  game-theoretic  notion  of  implementation.  Moreover, 
lower  bounds  for  the  traditional  notion  of  secure  computation  immediately  yield  lower  bounds  for 
implement  ations . 

Our  equivalence  result  might  seem  like  a  negative  result:  it  demonstrates  that  considering  only 
rational  players  (as  opposed  to  arbitrary  malicious  players)  does  not  facilitate  protocol  design.  We 
emphasize,  however,  that  for  the  equivalence  to  hold,  we  must  consider  implementations  with  only 
weak  restrictions  on  the  utility  functions.  In  some  many  settings,  it  might  be  reasonable  to  consider 
stronger  restrictions  on  the  utility  functions  of  players:  for  instance,  that  players  strictly  prefer  to 
compute  less,  that  players  do  not  want  to  be  caught  “cheating”,  or  that  players  might  not  be  con¬ 
cerned  about  the  privacy  of  part  of  their  inputs.  As  we  show,  it  is  easier  to  provide  implementations 
for  such  (restricted)  classes  of  games,  allowing  us  to  circumvent  classical  impossibility  results  (e.g., 
[Cleve  1986])  for  the  traditional  notion  of  secure  computation.  We  believe  that  this  generality  is 
an  important  advantage  of  a  notion  of  security  that  does  not  rely  on  the  zero-knowledge  simula¬ 
tion  paradigm.5  Indeed,  our  work  has  already  lead  to  several  followups:  Micali  and  Shelat  [2009] 
consider  costly  computation  in  the  context  of  secret-sharing,  Rosen  and  Shelat  [2000]  consider  it  in 
the  context  of  concurrent  security,  and  Miltersen  et  al.  [2009]  provide  an  alternative  approach  for 
capturing  privacy  using  utility. 

2  A  Computational  Game-Theoretic  Framework 

2.1  Bayesian  Games 

We  model  costly  computation  using  Bayesian  machine  games ,  introduced  by  us  in  a  companion 
paper  [Halpern  and  Pass  2008].  To  explain  our  approach,  we  first  review  the  standard  notion  of  a 
Bayesian  game.  A  Bayesian  game  is  a  game  of  incomplete  information,  where  each  player  makes  a 
single  move.  The  “incomplete  information”  is  captured  by  assuming  that  nature  makes  an  initial 
move,  and  chooses  for  each  player  i  a  type  in  some  set  T).  Player  i’s  type  can  be  viewed  as  describing 
i’s  private  information.  For  ease  of  exposition,  we  assume  in  this  paper  that  the  set  N  of  players  is 

5We  mention  that  almost  all  general  notions  of  security  have  been  based  on  the  zero-knowledge  simulation 
paradigm.  One  notable  exception  is  the  definition  of  input-indistingushable  computation  of  Micali,  Pass  and  Rosen 
[2006].  This  notion  is  useful  in  circumventing  impossibility  results  regarding  concurrency,  but  still  suffers  from 
impossibility  results  [Cleve  1986]. 
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always  [m]  =  {1, . . . ,  m},  for  some  m.  If  N  =  [rn\ .  the  set  T  =  T\  x  . . .  x  Tm  is  the  type  space.  As  is 
standard,  we  assume  that  there  is  a  commonly-known  probability  distribution  Pr  on  the  type  space 
T.  Each  player  i  must  choose  an  action  from  a  space  A,;  of  actions.  Let  A  =  A\  x  . . .  x  An  be  the 
set  of  action  profiles.  A  Bayesian  game  is  characterized  by  the  tuple  ([m],  T,  A,  Pr,  u),  where  [m]  is 
the  set  of  players,  T  is  the  type  space,  A  is  the  set  of  joint  actions,  and  u  is  the  utility  function, 
where  Ui(t,  a)  is  player  V s  utility  (or  payoff)  if  the  type  profile  is  t  and  action  profile  a  is  played. 

In  general,  a  player’s  choice  of  action  will  depend  on  his  type.  A  strategy  for  player  i  is  a  function 
from  Tj  to  A(A*)  (where,  as  usual,  we  denote  by  A(X)  the  set  of  distributions  on  the  set  X ).  If  a  is  a 
strategy  for  player  i,t€.  T%  and  a  6  A*,  then  o(t)(a)  denotes  the  probability  of  action  a  according  to 
the  distribution  on  acts  induced  by  <r(t).  Given  a  joint  strategy  a,  we  can  take  u f  to  be  the  random 
variable  on  the  type  space  T  defined  by  taking  uf(t)  =  X^aeA(cri(^i)(ai)  x  •  •  •  x  3). 

Player  V s  expected  utility  if  a  is  played,  denoted  !/*(<?),  is  then  just  Epr[«?]  =  Pr(t)«.f(t). 

2.2  Bayesian  Machine  Games 

In  a  Bayesian  game,  it  is  implicitly  assumed  that  computing  a  strategy — that  is,  computing  what 
move  to  make  given  a  type — is  free.  We  want  to  take  the  cost  of  computation  into  account  here. 
To  this  end,  we  consider  what  we  call  Bayesian  machine  games,  where  we  replace  strategies  by 
machines.  For  definiteness,  we  take  the  machines  to  be  Turing  machines,  although  the  exact 
choice  of  computing  formalism  is  not  significant  for  our  purposes.  Given  a  type,  a  strategy  in  a 
Bayesian  game  returns  a  distribution  over  actions.  Similarly,  given  as  input  a  type,  the  machine 
returns  a  distribution  over  actions.  As  is  standard,  we  model  the  distribution  by  assuming  that  the 
machine  actually  gets  as  input  not  only  the  type,  but  a  random  string  of  Os  and  Is  (which  can  be 
thought  of  as  the  sequence  of  heads  and  tails),  and  then  (deterministically)  outputs  an  action.  Just 
as  we  talk  about  the  expected  utility  of  a  strategy  profile  in  a  Bayesian  game,  we  can  talk  about 
the  expected  utility  of  a  machine  profile  in  a  Bayesian  machine  game.  However,  we  can  no  longer 
compute  the  expected  utility  by  just  taking  the  expectation  over  the  action  profiles  that  result  from 
playing  the  game.  A  player’s  utility  depends  not  only  on  the  type  profile  and  action  profile  played 
by  the  machine,  but  also  on  the  “complexity”  of  the  machine  given  an  input.  The  complexity  of 
a  machine  can  represent,  for  example,  the  running  time  or  space  usage  of  the  machine  on  that 
input,  the  size  of  the  program  description,  or  some  combination  of  these  factors.  For  simplicity,  we 
describe  the  complexity  by  a  single  number,  although,  since  a  number  of  factors  may  be  relevant,  it 
may  be  more  appropriate  to  represent  it  by  a  tuple  of  numbers  in  some  cases.  (We  can,  of  course, 
always  encode  the  tuple  as  a  single  number,  but  in  that  case,  “higher”  complexity  is  not  necessarily 
worse.)  Note  that  when  determining  player  i’s  utility,  we  consider  the  complexity  of  all  machines 
in  the  profile,  not  just  that  of  V s  machine.  For  example,  i  might  be  happy  as  long  as  his  machine 
takes  fewer  steps  than  j’s. 

We  assume  that  nature  has  a  type  in  {0,1}*.  While  there  is  no  need  to  include  a  type  for 
nature  in  standard  Bayesian  games  (we  can  effectively  incorporate  nature’s  type  into  the  type  of 
the  players),  once  we  take  computation  into  account,  we  obtain  a  more  expressive  class  of  games 
by  allowing  nature  to  have  a  type  (since  the  complexity  of  computing  the  utility  may  depend  on 
nature’s  type).  We  assume  that  machines  take  as  input  strings  of  Os  and  Is  and  output  strings  of  Os 
and  Is.  Thus,  we  assume  that  both  types  and  actions  can  be  represented  as  elements  of  {0, 1}*.  We 
allow  machines  to  randomize,  so  given  a  type  as  input,  we  actually  get  a  distribution  over  strings. 
To  capture  this,  we  assume  that  the  input  to  a  machine  is  not  only  a  type,  but  also  a  string  chosen 
with  uniform  probability  from  {0, 1}°°  (which  we  can  view  as  the  outcome  of  an  infinite  sequence 
of  coin  tosses).  The  machine’s  output  is  then  a  deterministic  function  of  its  type  and  the  infinite 
random  string. 

We  use  the  convention  that  the  output  of  a  machine  that  does  not  terminate  is  a  fixed  special 
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symbol  u).  We  define  a  view  to  be  a  pair  (t,  r)  of  two  bitstrings;  we  think  of  t  as  that  part  of  the 
type  that  is  read,  and  r  is  the  string  of  random  bits  used.  (Our  definition  is  slightly  different  from 
the  traditional  way  of  defining  a  view,  in  that  we  include  only  the  parts  of  the  type  and  the  random 
sequence  actually  read.  If  computation  is  not  taken  into  account,  there  is  no  loss  in  generality  in 
including  the  full  type  and  the  full  random  sequence,  and  this  is  what  has  traditionally  been  done 
in  the  literature.  However,  when  computation  is  costly,  this  might  no  longer  be  the  case.)  We 
denote  by  f;  r  a  string  in  {0, 1}*;  {0, 1}*  representing  the  view.  (Note  that  here  and  elsewhere,  we 
use  as  a  special  symbol  that  acts  as  a  separator  between  strings  in  {0, 1}*.)  If  v  =  (t;  r )  and  r 
is  a  finite  string,  we  take  M(y)  to  be  the  output  of  M  given  input  type  t  and  random  string  r  ■  0°°. 

We  now  briefly  review  our  computational  game-theoretic  framework  [Halpern  and  Pass  2008], 
which  will  form  the  basis  of  our  game-theoretic  definition  of  security.  We  then  introduce  some 
additional  notions  that  will  be  necessary  to  capture  security.  We  use  a  complexity  function  : 
M  x  {0, 1}*;  {0, 1}*  U  {0, 1}°°  — >  IN,  where  M  denotes  the  set  of  Turing  machines  to  describe  the 
complexity  of  a  machine  given  a  view.  If  t  G  {0, 1}*  and  r  G  {0, 1}°°,  we  identify  c(o  ( M,  f ;  r)  with 
t;r'),  where  r'  is  the  finite  prefix  of  r  actually  used  by  M  when  running  on  input  t  with 
random  string  r. 

For  now,  we  assume  that  machines  run  in  isolation,  so  the  output  and  complexity  of  a  machine 
does  not  depend  on  the  machine  profile.  We  remove  this  restriction  in  the  next  section,  where 
we  allow  machines  to  communicate  with  mediators  (and  thus,  implicitly,  with  each  other  via  the 
mediator) . 

Definition  2.1  (Bayesian  machine  game)  A  Bayesian  machine  game  G  is  described  by  a  tuple 
([m\,M,T,  Pr,  cg1, . . .  . .  .,um),  where 

•  [m]  =  { 1,  -  -  - ,  m}  is  the  set  of  players; 

•  M.  is  the  set  of  possible  machines; 

•  T  C  ({0,  l}*)m+1  is  the  set  of  type  profiles,  where  the  (m  +  l)st  element  in  the  profile  corre¬ 
sponds  to  nature’s  type; 

•  Pr  is  a  distribution  on  T; 

•  is  a  complexity  function; 

•  Ui  :  T  x  ({0,  l}*)m  x  !Nm  — >  1R  is  player  i ’s  utility  function.  Intuitively ,  Ujft,  a,  c)  is  the  utility 
of  player  i  if  t  is  the  type  profile,  a  is  the  action  profile  ( where  we  identify  i ’s  action  with 
Mi’s  output),  and  c  is  the  profile  of  machine  complexities. 

We  can  now  define  the  expected  utility  of  a  machine  profile.  Given  a  Bayesian  machine  game 
G  =  ([m],  JA,  Pr,  T,  ^  u)  and  M  G  Aim,  define  the  random  variable  uf’1^  on  T  x  ({0,  l}°°)m  (i.e., 
the  space  of  type  profiles  and  sequences  of  random  strings)  by  taking 

uf’™(t,r)  =  Ui(t,Mi(ti;n), . . . ,  rm),  ti;  n), . . . ,  ^m(Mm,  tm)). 

Note  that  there  are  two  sources  of  uncertainty  in  computing  the  expected  utility:  the  type  t  and 
realization  of  the  random  coin  tosses  of  the  players,  which  is  an  element  of  ({0,  l}°°)fc.  Let  Pr^ 
denote  the  uniform  distribution  on  ({0,  l}°°)fc.  Given  an  arbitrary  distribution  Pr_v  on  a  space  X, 
we  write  PrJfc  to  denote  the  distribution  Prx  x  Prjy  on  X  x  ({0,l}°°)fc.  If  k  is  clear  from  context 
or  not  relevant,  we  often  omit  it,  writing  Prj/  and  Pr^-  Thus,  given  the  probability  Pr  on  T,  the 

expected  utility  of  player  i  in  game  G  if  M  is  used  is  the  expectation  of  the  random  variable  uf’M 

with  respect  to  the  distribution  Pr+  (technically,  Pr+m):  U^{M)  =  EPr+  [uf'AI] .  Note  that  this 
notion  of  utility  allows  an  agent  to  prefer  a  machine  that  runs  faster  to  one  that  runs  slower,  even  if 
they  give  the  same  output,  or  to  prefer  a  machine  that  has  faster  running  time  to  one  that  gives  a 
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better  output.  Because  we  allow  the  utility  to  depend  on  the  whole  profile  of  complexities,  we  can 
capture  a  situation  where  i  can  be  “happy”  as  long  as  his  machine  runs  faster  than  j's  machine. 
Of  course,  an  important  special  case  is  where  i’s  utility  depends  only  on  his  own  complexity.  All 
of  our  results  continue  to  hold  if  we  make  this  restriction. 

Given  the  definition  of  utility  above,  we  can  now  define  (e-)  Nash  equilibrium  in  the  standard 
way. 

Definition  2.2  (Nash  equilibrium  in  machine  games)  Given  a  Bayesian  machine  game  G  = 
([m],  At,  T,  Pr,  etf,u),  a  machine  profile  M  £  A4m,  and  e  >  0,  Mi  is  an  e-best  response  to  M-i  if, 
for  every  M[  £  A4, 

Uf[(Mi,  M-f)\  >  [(M',M_*)]  -  e. 

(As  usual,  M-i  denotes  the  tuple  consisting  of  all  machines  in  M  other  than  Mi.)  M  is  an  e-Nash 
equilibrium  of  G  if,  for  all  players  i,  Adi  is  an  e-best  response  to  M-i.  A  Nash  equilibrium  is  a 
0-Nash  equilibrium. 

For  further  intuition  into  this  notion,  we  refer  the  reader  to  our  companion  paper  [Halpern  and 
Pass  2008]  where  we  provide  a  more  in-depth  study  of  traditional  game-theoretic  questions  (such  as 
existence  of  Nash  equilibria)  for  computational  games,  and  show  how  computational  considerations 
can  help  explain  experimentally-observed  phenomena  in  well-studied  games  in  a  psychologically 
appealing  way. 

One  immediate  advantage  of  taking  computation  into  account  is  that  we  can  formalize  the  intu¬ 
ition  that  e-Nash  equilibria  are  reasonable,  because  players  will  not  bother  changing  strategies  for  a 
gain  of  e.  Intuitively,  the  complexity  function  can  “charge”  e  for  switching  strategies.  Specifically, 
an  e-Nash  equilibrium  M  can  be  converted  to  a  Nash  equilibrium  by  modifying  player  V s  complex¬ 
ity  function  to  incorporate  the  overhead  of  switching  from  Mi  to  some  other  strategy,  and  having 
player  i’ s  utility  function  decrease  by  e'  >  e  if  the  switching  cost  is  nonzero;  we  omit  the  formal 
details  here.  Thus,  the  framework  lets  us  incorporate  explicitly  the  reasons  that  players  might  be 
willing  to  play  an  e-Nash  equilibrium.  This  justification  of  e-Nash  equilibrium  seems  particularly 
appealing  when  designing  mechanisms  (e.g.,  cryptographic  protocols)  where  the  equilibrium  strat¬ 
egy  is  made  “freely”  available  to  the  players  (e.g.,  it  is  accessible  on  a  web-page),  but  any  other 
strategy  requires  some  implementation  cost. 

In  order  to  define  our  game-theoretic  notion  of  protocol  security,  we  need  to  introduce  some 
extensions  to  the  basic  framework  of  [Halpern  and  Pass  2008].  Specifically,  we  will  be  interested 
only  in  equilibria  that  are  robust  in  a  certain  sense,  and  we  want  equilibria  that  deal  with  deviations 
by  coalitions,  since  the  security  literature  allows  malicious  players  that  deviate  in  a  coordinated 
way.  Furthemore,  we  need  to  formally  define  mediated  games. 

2.3  Computationally  Robust  Nash  Equilibrium 

Computers  get  faster,  cheaper,  and  more  powerful  every  year.  Since  utility  in  a  Bayesian  machine 
game  takes  computational  complexity  into  account,  this  suggests  that  an  agent’s  utility  function 
will  change  when  he  replaces  one  computer  by  a  newer  computer.  We  are  thus  interested  in  robust 
equilibria,  intuitively,  ones  that  continue  to  be  equilibria  (or,  more  precisely,  e-equilibria  for  some 
appropriate  e)  even  if  agents’  utilities  change  as  a  result  of  upgrading  computers. 

Definition  2.3  (Computationally  robust  Nash  equilibrium)  Let  p  :  dN  —>  IN.  The  com¬ 
plexity  function  cto'  is  at  most  a  p-speedup  of  the  complexity  function  T?  if,  for  all  machines  M  and 
views  v, 

tf'(M,v)  <  V(M,v)  <  p{tf'{M,v)). 
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Game  G'  =  ([W],  M! ,  Pr7,  c€' ,  u')  is  at  most  a  p-speedup  of  game  G  =  ([m],  Ml,  Pr, 'Z? , u)  ifm'  =  rn, 
Pr  =  Pr7  and  u  =  u!  (i.e.,  G'  and  G'  differ  only  in  their  complexity  and  machine  profiles),  and 
is  at  most  a  p-speedup  of^i,  for  i  =  1, . . . ,  m.  Mi  is  a  p-robust  e-best  response  to  M-i  in  G,  if  for 
every  game  G  that  is  at  most  a  p-speedup  of  G,  Mi  is  an  e-best  response  to  M-i.  M  is  a  p-robust 
e-equilibrium  for  G  if,  for  all  i,  Mi  is  an  p-robust  e-best  response  to  M-i. 

Intuitively,  if  we  think  of  complexity  as  denoting  running  time  and  describes  the  running  time 
of  machines  (i.e.,  programs)  on  an  older  computer,  then  c€'  describes  the  running  time  of  machines 
on  an  upgraded  computer.  For  instance,  if  the  upgraded  computer  runs  at  most  twice  as  fast  as  the 
older  one  (but  never  slower),  then  cta'  is  a  2-speedup  of  ,  where  k  denotes  the  constant  function 
k.  Clearly,  if  M  is  a  Nash  equilibrium  of  G,  then  it  is  a  I-robust  equilibrium.  We  can  think  of 
p-robust  equilibrium  as  a  refinement  of  Nash  equilibrium  for  machine  games,  just  like  sequential 
equilibrium  [Kreps  and  Wilson  1982]  or  perfect  equilibrium  [Selten  1975];  it  provides  a  principled 
way  of  ignoring  “bad”  Nash  equilibria.  Note  that  in  games  where  computation  is  free,  every  Nash 
equilibrium  is  also  computationally  robust. 

2.4  Coalition  Machine  Games 

We  strengthen  the  notion  of  Nash  equilibrium  to  allow  for  deviating  coalitions.  Towards  this  goal, 
we  consider  a  generalization  of  Bayesian  machine  games  called  coalition  machine  games,  where, 
in  the  spirit  of  coalitional  games  [Neumann  and  Morgenstern  1947],  each  subset  of  players  has  a 
complexity  function  and  utility  function  associated  with  it.  In  analogy  with  the  traditional  notion 
of  Nash  equilibrium,  which  considers  only  “single-player”  deviations,  we  consider  only  “single¬ 
coalition”  deviations. 

More  precisely,  given  a  subset  Z  of  [m],  we  let  —  Z  denote  the  set  [m]/Z.  We  say  that  a  machine 
M'z  controls  the  players  in  Z  if  M'z  controls  the  input  and  output  tapes  of  the  players  in  set  Z  (and 
thus  can  coordinate  their  outputs).  In  addition,  the  adversary  that  controls  Z  has  its  own  input 
and  output  tape.  A  coalition  machine  game  G  is  described  by  a  tuple  ([m\,Mi, Pr,  'if,  it),  where  If 
and  u  are  sequences  of  complexity  functions  c&z  and  utility  functions  uz,  respectively,  one  for  each 
subset  Z  of  [m];  rn,  Ml,  and  Pr  are  defined  as  in  Definition  2.1.  In  contrast,  the  utility  function  uz 
for  the  set  Z  is  a  function  T  x  ({0,  l}*)m  x  (IN  x  _#ym-lzl+i)  — >■  1R,  where  uz(t,  a,  ( cz ,  C-z ))  is  the 
utility  of  the  coalition  Z  if  t  is  the  (length  m  +  1)  type  profile,  a  is  the  (length  m)  action  profile 
(where  we  identify  V s  action  as  player  i  output),  cz  is  the  complexity  of  the  coalition  Z ,  and  C-z 
is  the  (length  m  —  |Z|)  profile  of  machine  complexities  for  the  players  in  —  Z.  The  complexity  cz 
is  a  measure  of  the  complexity  according  to  whoever  controls  coalition  Z  of  running  the  coalition. 
Note  that  even  if  the  coalition  is  controlled  by  a  machine  M'z  that  lets  each  of  the  players  in  Z 
perform  independent  computations,  the  complexity  of  M'z  is  not  necessarily  some  function  of  the 
complexities  c*  of  the  players  i  £  Z  (such  as  the  sum  or  the  max).  Moreover,  while  cooperative 
game  theory  tends  to  focus  on  superadditive  utility  functions,  where  the  utility  of  a  coalition  is 
at  least  the  sum  of  the  utilities  of  any  partition  of  the  coalition  into  sub-coalitions  or  individual 
players,  we  make  no  such  restrictions;  indeed  when  taking  complexity  into  account,  it  might  very 
well  be  the  case  that  larger  coalitions  are  more  expensive  than  smaller  ones.  Also  note  that,  in  our 
calculations,  we  assume  that,  other  than  the  coalition  Z,  all  the  other  players  play  individually  (so 
that  we  use  c*  for  i  (f  Z);  there  is  at  most  one  coalition  in  the  picture.  Having  defined  uz,  we  can 
define  the  expected  utility  of  the  group  Z  in  the  obvious  way. 

The  benign  machine  for  coalition  Z,  denoted  Mz,  is  the  one  where  that  gives  each  player  i  &  Z 
its  true  input,  and  each  player  i  e  Z  outputs  the  output  of  Mp  Mz  write  nothing  on  its  output 
tape.  Essentially,  the  benign  machine  does  exactly  what  all  the  players  in  the  coalition  would  have 
done  anyway.  We  now  extend  the  notion  of  Nash  equilibrium  to  deal  with  coalitions;  it  requires 
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that  in  an  equilibrium  M,  no  coalition  does  (much)  better  than  it  would  using  the  benign  machine, 
according  to  the  utility  function  for  that  coalition. 

Definition  2.4  (Nash  equilibrium  in  coalition  machine  games)  Given  an  m-player  coalition 
machine  game  G,  a  machine  profile  M ,  a  subset  Z  of  [m]  and  e  >  0,  Mz  is  an  e-best  response  to 
M_z  if,  for  every  coalition  machine  M'z  E  J\4, 


U§[(Mbz,M_z)}  >  U°[(M'Z,M_Z)}  -  e. 

Given  a  set  Z  of  subsets  of  [m],  M  is  a  Z- safe  e-Nash  equilibrium  for  G  if,  for  all  Z  E  Z,  Mbz  is 
an  e-best  response  to  M_z- 

Our  notion  of  coalition  games  is  quite  general.  In  particular,  if  we  disregard  the  costs  of 
computation,  it  allows  us  to  capture  some  standard  notions  of  coalition  resistance  in  the  litera¬ 
ture,  by  choosing  uz  appropriately.  For  example,  Aumann’s  [1959]  notion  of  strong  equilibrium 
requires  that,  for  all  coalitions,  it  is  not  the  case  that  there  is  a  deviation  that  makes  everyone 
in  the  coalition  strictly  better  off.  To  capture  this,  fix  a  profile  M,  and  define  (Mz,  M'_z)  = 
min i^z  Ui(Mz,  M'_z)  —  We  can  capture  the  notion  of  k-resilient  equilibrium  [Abraham, 

Dolev,  Gonen,  and  Halpern  2006;  Abraham,  Dolev,  and  Halpern  2008],  where  the  only  deviations 
allowed  are  by  coalitions  of  size  at  most  k,  by  restricting  Z  to  consist  of  sets  of  cardinality  at  most 
k  (so  a  1-resilient  equilibrium  is  just  a  Nash  equilibrium).  Abraham  et  al.  [2006,  2008]  also  consider 
a  notion  of  strong  ^-resilient  equilibrium,  where  there  is  no  deviation  by  the  coalition  that  makes 
even  one  coalition  member  strictly  better  off.  We  can  capture  this  by  replacing  the  min  in  the 
definition  of  ujf  by  max. 

2.5  Machine  Games  with  Mediators 

Up  to  now  we  have  assumed  that  the  only  input  a  machine  receives  is  the  initial  type.  This 
is  appropriate  in  a  normal-form  game,  but  does  not  allow  us  to  consider  game  where  players 
can  communicate  with  each  other  and  (possibly)  with  a  trusted  mediator.  We  now  extend 
Bayesian  machine  games  to  allow  for  communication.  For  ease  of  exposition,  we  assume  that  all 
communication  passes  between  the  players  and  a  trusted  mediator.  Communication  between  the 
players  is  modeled  by  having  a  trusted  mediator  who  passes  along  messages  received  from  the 
players.  Thus,  we  think  of  the  players  as  having  reliable  communication  channels  to  and  from  a 
mediator;  no  other  communication  channels  are  assumed  to  exist. 

The  formal  definition  of  a  Bayesian  machine  game  with  a  mediator  is  similar  in  spirit  to  that  of 
a  Bayesian  machine  game,  but  now  we  assume  that  the  machines  are  interactive  Turing  machines, 
that  can  also  send  and  receive  messages.  We  omit  the  formal  definition  of  an  interactive  Turing 
machine  (see,  for  example,  [Goldreich  2001]);  roughly  speaking,  the  machines  use  a  special  tape 
where  the  message  to  be  sent  is  placed  and  another  tape  where  a  message  to  be  received  is  written. 
The  mediator  is  modeled  by  an  interactive  Turing  machine  that  we  denote  T.  A  Bayesian  machine 
game  with  a  mediator  (or  a  mediated  Bayesian  machine  game)  is  thus  a  pair  (G,  J-),  where  G  = 
([m],  J\A,  Pr,  . . . ,  «i, . . . ,  un)  is  a  Bayesian  machine  game  (except  that  M.  here  denotes  a  set 

of  interactive  machines)  and  T  is  an  interactive  Turing  machine. 

Like  machines  in  Bayesian  machine  games,  interactive  machines  in  a  game  with  a  mediator  take 
as  argument  a  view  and  produce  an  outcome.  Since  what  an  interactive  machine  does  can  depend 
on  the  history  of  messages  sent  by  the  mediator,  the  message  history  (or,  more  precisely,  that  part 

6Note  that  if  we  do  not  disregard  the  cost  of  computation,  it  is  not  clear  how  to  define  the  individual  complexity 
of  a  player  that  is  controlled  by  M'z. 


of  the  message  history  actually  read  by  the  machine)  is  also  part  of  the  view.  Thus,  we  now  define 
a  view  to  be  a  string  t;  h\  r  in  {0, 1}*;  {0, 1}*;  {0, 1}*,  where,  as  before,  t  is  that  part  of  the  type 
actually  read  and  r  is  a  finite  bitstring  representing  the  string  of  random  bits  actually  used,  and 
h  is  a  finite  sequence  of  messages  received  and  read.  Again,  if  v  =  t\  h;  r,  we  take  M(v)  to  be  the 
output  of  M  given  the  view. 

We  assume  that  the  system  proceeds  in  synchronous  stages;  a  message  sent  by  one  machine  to 
another  in  stage  k  is  received  by  the  start  of  stage  k  + 1.  More  formally,  following  [Abraham,  Dolev, 
Gonen,  and  Halpern  2006],  we  assume  that  a  stage  consists  of  three  phases.  In  the  first  phase  of 
a  stage,  each  player  i  sends  a  message  to  the  mediator,  or,  more  precisely,  player  V s  machine 
Mi  computes  a  message  to  send  to  the  mediator;  machine  Mj  can  also  send  an  empty  message, 
denoted  A.  In  the  second  phase,  the  mediator  receives  the  message  and  mediator’s  machine  sends 
each  player  i  a  message  in  response  (again,  the  mediator  can  send  an  empty  message).  In  the  third 
phase,  each  player  i  performs  an  action  other  than  that  of  sending  a  message  (again,  it  may  do 
nothing).  The  messages  sent  and  the  actions  taken  can  depend  on  the  machine’s  message  history 
(as  well  as  its  initial  type). 

We  can  now  define  the  expected  utility  of  a  profile  of  interactive  machines  in  a  Bayesian  machine 
game  with  a  mediator.  The  definition  is  similar  in  spirit  to  the  definition  in  Bayesian  machine  games, 
except  that  we  must  take  into  account  the  dependence  of  a  player’s  actions  on  the  message  sent 
by  the  mediator.  Let  view,;(Af ,  J7,  t,  r)  denote  the  string  (iy/tyrj)  where  ht  denotes  the  messages 
received  by  player  i  if  the  machine  profile  is  M,  the  mediator  uses  machine  J~,  the  type  profile  is 
t.  and  r  is  the  profile  of  random  strings  used  by  the  players  and  the  mediator.  Given  a  mediated 
Bayesian  machine  game  G'  =  we  can  define  the  random  variable  uf  ,M (t,r)  as  before, 

except  that  now  r  must  include  a  random  string  for  the  mediator,  and  to  compute  the  outcome 
and  the  complexity  function,  Mj  gets  as  an  argument  view j(M,  since  this  is  the  view  that 

machine  Mj  gets  in  this  setting.  Finally,  we  define  Gy  (M)  =  EPr+[tq  ’  ]  as  before,  except  that 
now  Pr+  is  a  distribution  on  T  x  ({0,  i}°°)n+1  rather  than  T  x  ({0,  l}°°)n,  since  we  must  include  a 
random  string  for  the  mediator  as  well  as  the  players’  machines.  We  can  define  Nash  equilibrium 
and  computationally  robust  Nash  equilibrium  in  games  with  mediators  as  in  Bayesian  machine 
games;  we  leave  the  details  to  the  reader. 

Up  to  now,  we  have  considered  only  players  communicating  with  a  mediator.  We  certainly 
want  to  allow  for  the  possibility  of  players  communicating  with  each  other.  We  model  this  using 
a  particular  mediator  that  we  call  the  communication  mediator ,  denoted  comm,  which  corresponds 
to  what  cryptographers  call  secure  channels  and  economists  call  cheap  talk.  With  this  mediator, 
if  i  wants  to  send  a  message  to  j,  it  simply  sends  the  message  and  its  intended  recipient  to  the 
mediator  comm.  The  mediator’s  strategy  is  simply  to  forward  the  messages,  and  the  identities  of 
the  senders,  to  the  intended  recipients.  (Technically,  we  assume  that  a  message  m  from  i  to  the 
mediator  with  intended  recipient  j  has  the  form  m;  j.  Messages  not  of  this  form  are  ignored  by  the 
mediator.) 


3  A  Game-Theoretic  Notion  of  Protocol  Security 

In  this  section  we  extend  the  traditional  notion  of  game-theoretic  implementation  of  mediators 
to  consider  computational  games.  Our  aim  is  to  obtain  a  notion  of  implementation  that  can 
be  used  to  capture  the  cryptographic  notion  of  secure  computation.  For  simplicity,  we  focus  on 
implementations  of  mediators  that  receive  a  single  message  from  each  player  and  return  a  single 
message  to  each  player  (i.e. ,  the  mediated  games  consist  only  of  a  single  stage). 

We  provide  a  definition  that  captures  the  intuition  that  the  machine  profile  M  implements  a 
mediator  T  if,  whenever  a  set  of  players  want  to  to  truthfully  provide  their  “input”  to  the  mediator 
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T,  they  also  want  to  run  M  using  the  same  inputs.  To  formalize  “whenever”,  we  consider  what 
we  call  canonical  coalition  games,  where  each  player  i  has  a  type  U  of  the  form  xl ;  Zj ,  where  Xj  is 
player  i’s  intended  “input”  and  Zi  consists  of  some  additional  information  that  player  i  has  about 
the  state  of  the  world.  We  assume  that  the  input  Xi  has  some  fixed  length  n.  Such  games  are  called 
canonical  games  of  input  length  n. ' 

Let  A F  denote  the  machine  that,  given  type  t  =  x\z  sends  x  to  the  mediator  F  and  outputs  as 
its  action  whatever  string  it  receives  back  from  T ,  and  then  halts.  (Technically,  we  model  the  fact 
that  AT  is  expecting  to  communicate  with  T  by  assuming  that  the  mediator  T  appends  a  signature 
to  its  messages,  and  any  messages  not  signed  by  T  are  ignored  by  A'5’7.)  Thus,  the  machine  A F 
ignores  the  extra  information  z.  Let  Iv  denote  the  machine  profile  where  each  player  uses  the 
machine  AF .  Roughly  speaking,  to  capture  the  fact  that  whenever  the  players  want  to  use  T, 
they  also  want  to  run  M ,  we  require  that  if  AF  is  an  equilibrium  in  the  game  (G,J~)  (i.e. ,  if  it  is 
an  equilibrium  to  simply  provide  the  intended  input  to  T  and  finally  output  whatever  F  replies), 
running  M  using  the  intended  input  is  an  equilibrium  as  well. 

We  actually  consider  a  more  general  notion  of  implementation:  we  are  interested  in  understand¬ 
ing  how  well  equilibrium  in  a  set  of  games  with  mediator  T  can  be  implemented  using  a  machine 
profile  AI  and  a  possibly  different  mediator  T' .  Roughly  speaking,  we  want  that,  for  every  game  G 
in  some  set  Q  of  games,  if  AF  is  an  equilibrium  in  ( G,J -),  then  M  is  an  equilibrium  in  {G,  J-').  In 
particular,  we  want  to  understand  what  degree  of  robustness  p  in  the  game  ( G ,  F)  is  required  to 
achieve  an  e-equilibrium  in  the  game  (G,  T'\  We  also  require  that  the  equilibrium  with  mediator 
J-'  be  as  “coalition-safe”  as  the  equilibrium  with  mediator  T . 

Definition  3.1  (Universal  implementation)  Suppose  that  Q  is  a  set  of  m-player  canonical 
games,  Z  is  a  set  of  subsets  of  [m],  F  and  F'  are  mediators,  M[, ,  Mm  are  interactive  ma¬ 
chines,  p  :  IN  x  IN  M,  and  e  :  JN  — ►  1R.  ( M ,F')  is  a  (Q,  2,p)-universal  implementation  of  F 
with  error  e  if,  for  all  n  E  IN,  all  games  G  E  Q  with  input  length  n,  and  all  Z'  C  Z,  if  AF  is  a 
p(n,  ■ )-robust  Z' -safe  Nash  equilibrium  in  the  mediated  machine  game  (G,F)  then 

1.  (Preserving  Equilibrium)  M  is  a  Z' -safe  e{n)-Nash  equilibrium  in  the  mediated  machine  game 

{G,n- 

2.  (Preserving  Action  Distributions)  For  each  type  profile  t,  the  action  profile  induced  by  AF  in 
(G,F)  is  identically  distributed  to  the  action  profile  induced  by  M  in  (G,F'). 

As  we  have  observed,  although  our  notion  of  universal  implementation  does  not  explicitly  con¬ 
sider  the  privacy  of  players’  inputs,  it  can  nevertheless  capture  privacy  requirements.  It  suffices 
to  consider  a  game  where  a  player  gains  significant  utility  by  knowing  some  information  about  a 
player’s  input. 

Note  that,  depending  on  the  class  Q,  our  notion  of  universal  implementation  imposes  severe 
restrictions  on  the  complexity  of  the  machine  profile  M.  For  instance,  if  Q  consists  of  all  games,  it 
requires  that  the  complexity  of  M  is  the  same  as  the  complexity  of  AF .  (If  the  complexity  of  M  is 
higher  than  that  of  AF,  then  we  can  easily  construct  a  game  G  by  choosing  the  utilities  appropriately 
such  that  it  is  an  equilibrium  to  run  AF  in  (G,  J-),  but  running  M  is  too  costly.)  Also  note  that  if 
Q  consists  of  games  where  players  strictly  prefer  smaller  complexity,  then  universal  implementation 
requires  that  M  be  the  optimal  algorithm  (i.e.,  the  algorithm  with  the  lowest  complexity)  that 
implements  the  functionality  of  M,  since  otherwise  a  player  would  prefer  to  switch  to  the  optimal 
implementation.  Since  few  algorithms  algorithms  have  been  shown  to  be  provably  optimal  with 

7Note  that  by  simple  padding,  canonical  games  represent  a  setting  where  all  parties’  input  lengths  are  upper- 
bounded  by  some  value  n  that  is  common  knowledge.  Thus,  we  can  represent  any  game  where  there  are  only  finitely 
many  possible  types  as  a  canonical  game  for  some  input  length  n. 
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respect  to,  for  example,  the  number  of  computational  steps  of  a  Turing  machines,  this,  at  first 
sight,  seems  to  severely  limit  the  use  of  our  definition.  However,  if  we  consider  games  with  “coarse” 
complexity  functions  where,  say,  the  first  T  steps  are  “free”  (e.g.,  machines  that  execute  less  than 
T  steps  are  assigned  complexity  1),  or  n2  computational  steps  count  as  one  unit  of  complexity, 
the  restrictions  above  are  not  so  severe.  Indeed,  it  seems  quite  natural  to  assume  that  a  player  is 
indifferent  between  “small”  differences  in  computation  in  such  a  sense. 

Our  notion  of  universal  implementation  is  related  to  a  number  of  earlier  notions  of  implemen¬ 
tation.  We  now  provide  a  brief  comparison  with  the  most  relevant  ones. 

•  Our  definition  of  universal  implementation  captures  intuitions  similar  in  spirit  to  Forges’ 
[1990]  notion  of  a  universal  mechanism.  It  differs  in  one  obvious  way:  our  definition  consid¬ 
ers  computational  games,  where  the  utility  functions  depend  on  complexity  considerations. 
Dodis,  Halevi  and  Rabin  [2000]  (and  more  recent  work,  such  as  [Abraham,  Dolev,  Gonen, 
and  Halpern  2006;  Lepinski,  Micali,  Peikert,  and  Shelat  2004;  Halpern  and  Teadgue  2004; 
Abraham,  Dolev,  Gonen,  and  Halpern  2006;  Gordon  and  Katz  2006;  Kol  and  Naor  2008]) 
consider  notions  of  implementation  where  the  players  are  modeled  as  polynomially-bounded 
Turing  machines,  but  do  not  consider  computational  games.  As  such,  the  notions  considered 
in  these  works  do  not  provide  any  a  priori  guarantees  about  the  incentives  of  players  with 
regard  to  computation. 

•  Our  definition  is  more  general  than  earlier  notions  of  implementation  in  that  we  consider 
universality  with  respect  to  (sub-)classes  Q  of  games,  and  allow  deviations  by  coalitions. 

•  Our  notion  of  coalition-safety  also  differs  somewhat  from  earlier  related  notions.  Note  that  if 
Z  contains  all  subsets  of  players  with  k  or  less  players,  then  universal  implementation  implies 
that  all  fc-resilient  Nash  equilibria  and  all  strong  fc-resilient  Nash  equilibria  are  preserved. 
However,  unlike  the  notion  of  ^-resilience  considered  by  Abraham  et  al.  [2006,  2008],  our 
notion  provides  a  “best-possible”  guarantee  for  games  that  do  not  have  a  k- resilient  Nash 
equilibrium.  We  guarantee  that  if  a  certain  subset  Z  of  players  have  no  incentive  to  deviate 
in  the  mediated  game,  then  that  subset  will  not  have  incentive  to  deviate  in  the  cheap- 
talk  game;  this  is  similar  in  spirit  to  the  definitions  of  [Izmalkov,  Lepinski,  and  Micali  2008; 
Lepinski,  Micali,  Peikert,  and  Shelat  2004].  Note  that,  in  contrast  to  [Izmalkov,  Lepinski,  and 
Micali  2008;  Lepinski,  Micali,  and  Shelat  2005],  rather  than  just  allowing  colluding  players  to 
communicate  only  through  their  moves  in  the  game,  we  allow  coalitions  of  players  that  are 
controlled  by  a  single  entity;  this  is  equivalent  to  considering  collusions  where  the  colluding 
players  are  allowed  to  freely  communicate  with  each  other.  In  other  words,  whereas  the 
definitions  of  [Izmalkov,  Lepinski,  and  Micali  2008;  Lepinski,  Micali,  and  Shelat  2005]  require 
protocols  to  be  “signalling- free” ,  our  definition  does  not  impose  such  restrictions.  We  believe 
that  this  model  is  better  suited  to  capturing  the  security  of  cryptographic  protocols  in  most 
traditional  settings  (where  signalling  is  not  an  issue). 

•  We  require  only  that  a  Nash  equilibrium  is  preserved  when  moving  from  the  game  with 
mediator  T  to  the  communication  game.  Stronger  notions  of  implementation  require  that 
the  equilibrium  in  the  communication  game  be  a  sequential  equilibrium  [Kreps  and  Wilson 
1982];  see,  for  example,  [Gerardi  2004;  Ben-Porath  2003].  Since  every  Nash  equilibrium  in 
the  game  with  the  mediator  T  is  also  a  sequential  equilibrium,  these  stronger  notions  of 
implementation  actually  show  that  sequential  equilibrium  is  preserved  when  passing  from  the 
game  with  the  mediator  to  the  communication  game. 

While  these  notions  of  implementation  guarantee  that  an  equilibrium  with  the  mediator  is 
preserved  in  the  communication  game,  they  do  not  guarantee  that  new  equilibria  are  not 
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introduced  in  the  latter.  An  even  stronger  guarantee  is  provided  by  Izmalkov,  Lepinski,  and 
Micali’s  [2008]  notion  of  perfect  implementation ;  this  notion  requires  a  one-to-one  correspon¬ 
dence  /  between  strategies  in  the  corresponding  games  such  that  each  player’s  utility  with 
strategy  profile  a  in  the  game  with  the  mediator  is  the  same  as  his  utility  with  strategy 
profile  (/(<7i), . . .  ,/(<7n))  in  the  communication  game  without  the  mediator.  Such  a  corre¬ 
spondence,  called  strategic  equivalence  by  Izmalkov,  Lepinski,  and  Micali  [2008],  guarantees 
(among  other  things)  that  all  types  of  equilibria  are  preserved  when  passing  from  one  game  to 
the  other,  and  that  no  new  equilibria  are  introduced  in  the  communication  game.  However, 
strategic  equivalence  can  be  achieved  only  with  the  use  of  strong  primitives,  which  cannot  be 
implemented  under  standard  computational  and  systems  assumptions  [Lepinski,  Micali,  and 
Shelat  2005].  We  focus  on  the  simpler  notion  of  implementation,  which  requires  only  that 
Nash  equilibria  are  preserved,  and  leave  open  an  exploration  of  more  refined  notions. 

Strong  Universal  Implementation  Intuitively,  universally  implements  T  if,  whenever 

a  set  of  parties  want  to  use  J7  (i.e.,  it  is  an  equilibrium  to  use  Tv  when  playing  with  J7),  then  the 
parties  also  want  to  run  M  (using  J7')  (i.e.,  using  M  with  J7'  is  also  an  equilibrium).  We  now 
strengthen  this  notion  to  also  require  that  whenever  a  subset  of  the  players  do  not  want  to  use 
T  (specifically,  if  they  prefer  to  do  “nothing”),  then  they  also  do  not  want  to  run  M,  even  if  all 
other  players  do  so.  Recall  that  _L  denotes  the  (canonical)  machine  that  does  nothing.  We  use  _L 
to  denote  the  special  machine  that  sends  no  messages  and  writes  nothing  on  the  output  tape. 

Definition  3.2  (Strong  Universal  Implementation)  Let  (A be  a  (Q,  2,  p) -universal  im¬ 
plementation  of  T  with  error  e.  (M,  J7')  is  a  strong  (Q,  Z,  ^-implementation  of  J7  if,  for  all  n  G  JN, 
all  games  G  G  Q  with  input  length  n,  and  all  Z  G  Z,  if  _L z  is  a  p(n ,  •) -robust  best  response  to 
A-z  in  (G,!F),  then  _L^  is  an  e-best  response  to  M-z  in  (G,  J7'). 

4  Relating  Cryptographic  and  Game-Theoretic  Implementation 

We  briefly  recall  the  notion  of  precise  secure  computation  [Micali  and  Pass  2006;  Micali  and  Pass 
2007],  which  is  a  strengthening  of  the  traditional  notion  of  secure  computation  [Goldreich,  Micali, 
and  Wigderson  1987];  more  details  are  given  in  Appendix  A. 

An  m-ary  functionality  f  is  specified  by  a  random  process  that  maps  vectors  of  inputs  to  vectors 
of  outputs  (one  input  and  one  output  for  each  player).  That  is,  /  :  (({0,l}*)m  x  {0,1}“)  - 
({0,  l}*)m,  where  we  view  /)  as  the  ith  component  of  the  output  vector;  that  is,  /  =  (/i, . . . ,  fm). 
We  often  abuse  notation  and  suppress  the  random  bitstring  r,  writing  f(x)  or  fi(x).  (We  can  think 
of  f(x)  and  fi(x)  as  random  variables.)  A  mediator  J7  (resp.,  a  machine  profile  M)  computes  f  if, 
for  all  n  G  N,  all  inputs  x  G  ({0,  l}n),n,  if  the  players  tell  the  mediator  their  inputs  and  output 
what  the  mediator  J7  tells  them  (resp.,  the  output  vector  of  the  players  after  an  execution  of  M 
where  Mt  gets  input  xf)  is  identically  distributed  to  fn(x).  Roughly  speaking,  a  protocol  M  for 
computing  a  function  /  is  secure  if,  for  every  adversary  A  participating  in  the  real  execution  of 
M,  there  exists  a  “simulator”  A  participating  in  an  ideal  execution  where  all  players  directly  talk 
to  a  trusted  third  party  (i.e.,  a  mediator)  computing  /;  the  job  of  A  is  to  provide  appropriate 
inputs  to  the  trusted  party,  and  to  reconstruct  the  view  of  A  in  the  real  execution  such  that  no 
distinguisher  D  can  distinguish  the  outputs  of  the  parties  and  the  view  of  the  adversary  A  in  the 
real  and  the  ideal  execution.  (Note  that  in  the  real  execution  the  view  of  the  adversary  is  simply 
the  actual  view  of  A  in  the  execution,  whereas  in  the  ideal  execution  it  is  the  view  output  by  the 
simulator  A).  The  traditional  notion  of  secure  computation  [Goldreich,  Micali,  and  Wigderson 
1987]  requires  only  that  the  worst-case  complexity  (size  and  running-time)  of  A  is  polynomially 
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related  to  that  of  A.  Precise  secure  computation  [Micali  and  Pass  2006;  Micali  and  Pass  2007] 
additionally  requires  that  the  running  time  of  the  simulator  A  “respects”  the  running  time  of  the 
adversary  A  in  an  “execution-by-execution”  fashion:  a  secure  computation  is  said  to  have  precision 
p(n,  t )  if  the  running-time  of  the  simulator  A  (on  input  security  parameter  n)  is  bounded  by  p(n,  t ) 
whenever  A  outputs  a  view  in  which  the  running-time  of  A  is  t. 

We  introduce  here  a  weakening  of  the  notion  of  precise  secure  computation.  The  formal  defini¬ 
tion  is  given  in  Appendix  A.l.  We  here  highlight  the  key  differences: 

•  The  standard  definition  requires  the  existence  of  a  simulator  for  every  A,  such  that  the  real 
and  the  ideal  execution  cannot  be  distinguished  given  any  set  of  inputs  and  any  distinguisher. 
In  analogy  with  the  work  of  Dwork,  Naor,  Reingold,  and  Stockmeyer  [2003],  we  change  the 
order  of  the  quantifiers.  We  simply  require  that  given  any  adversary,  any  input  distribution 
and  any  distinguisher,  there  exists  a  simulator  that  tricks  that  particular  distinguisher,  except 
with  probability  e(n);  e  is  called  the  error  of  the  secure  computation. 

•  The  notion  of  precise  simulation  requires  that  the  simulator  never  exceeds  its  precision 
bounds.  We  here  relax  this  assumption  and  let  the  simulator  exceed  its  bound  with  probability 
e(n). 

We  also  generalize  the  notion  by  allowing  arbitrary  complexity  measures  (instead  of  just  running¬ 
time)  and  general  adversary  structures  [Hirt  and  Maurer  2000]  (where  the  specification  of  a  secure 
computation  includes  a  set  Z  of  subsets  of  players  such  that  the  adversary  is  allowed  to  corrupt 
only  the  players  in  one  of  the  subsets  in  Z\  in  contrast,  in  [Goldreich,  Micali,  and  Wigderson 
1987;  Micali  and  Pass  2006]  only  threshold  adversaries  are  considered,  where  Z  consists  of  all 
subsets  up  to  a  pre-specified  size  k ).  The  formal  definition  of  weak  *£ -precise  secure  computation 
is  given  in  Appendix  A.l.  Note  that  the  we  can  always  regain  the  “non-precise”  notion  of  secure 
computation  by  instantiating  ^(M,  v)  with  the  sum  of  the  worst-case  running-time  of  M  (on 
inputs  of  the  same  length  as  the  input  length  in  v )  and  size  of  M.  Thus,  by  the  results  of  [Ben-Or, 
Goldwasser,  and  Wigderson  1988;  Goldwasser,  Micali,  and  Rackoff  1989;  Goldreich,  Micali,  and 
Wigderson  1987],  it  follows  that  there  exists  weak  ^-precise  secure  computation  protocols  with 
precision  p(n,t)  =  poly(n,t )  when  ^(M,  v)  is  the  sum  of  the  worst-case  running-time  of  M  and 
size  of  M.  The  results  of  [Micali  and  Pass  2006;  Micali  and  Pass  2007]  extend  to  show  the  existence 
of  weak  ^-precise  secure  computation  protocols  with  precision  p(n,t )  =  0(t )  when  ^(M,  v)  is 
the  sum  of  the  running  time  (as  opposed  to  just  worst-case  running-time)  of  M(y)  and  size  of  M. 
The  results  above  continue  to  hold  if  we  consider  “coarse”  measures  of  running-time  and  size;  for 
instance,  if,  say,  n2  computational  steps  correspond  to  one  unit  of  complexity  (in  canonical  machine 
games  with  input  length  n).  See  Appendix  4.2  for  more  details. 

4.1  Equivalences:  The  Information-theoretic  Case 

As  a  warm-up,  we  show  that  “error-free”  secure  computation,  also  known  as  perfectly-secure  com¬ 
putation  [Ben-Or,  Goldwasser,  and  Wigderson  1988],  already  implies  the  traditional  game-theoretic 
notion  of  implementation  [Forges  1990]  (which  does  not  consider  computation).  To  do  this,  we  first 
formalize  the  traditional  game-theoretic  notion  using  our  notation:  Let  M  be  an  m-player  profile 
of  machines.  We  say  that  (M,F')  is  a  traditional  game-theoretic  implementation  of  T  if  (M,  F') 
is  a  ((jnocomP)  {{1}, . . .  {m}},  0)-universal  implementation  of  F  with  0-error,  where  £jnocomP  denotes 
the  class  of  all  m- player  canonical  machine  games  where  the  utility  functions  do  not  depend  on  the 
complexity  profile.  (Recall  that  the  traditional  notion  does  not  consider  computational  games  or 
coalition  games.) 

Proposition  4.1  If  f  is  an  m-ary  functionality,  F  is  a  mediator  that  computes  f ,  and  M  is  a 
perfectly-secure  computation  of  F ,  then  (M,  comm)  is  a  game-theoretic  implementation  of  IF. 
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Proof:  We  start  by  showing  that  running  M  is  a  Nash  equilibrium  if  running  7W  with  mediator  T 
is  one.  Recall  that  the  cryptographic  notion  of  error-free  secure  computation  requires  that  for  every 
player  i  and  every  “adversarial”  machine  M-  controlling  player  i,  there  exists  a  “simulator”  machine 
Mi,  such  that  the  outputs  of  all  players  in  the  execution  of  (M-,  M-i)  are  identically  distributed  to 
the  outputs  of  the  players  in  the  execution  of  (Mi,  A^b)  with  mediator  J7.8  In  game-theoretic  terms, 
this  means  that  every  “deviating”  strategy  M-  in  the  communication  game  can  be  mapped  into  a 
deviating  strategy  Mi  in  the  mediated  game  with  the  same  output  distribution  for  each  type,  and, 
hence,  the  same  utility,  since  the  utility  depends  only  on  the  type  and  the  output  distribution;  this 
follows  since  we  require  universality  only  with  respect  to  games  in  (JnocomP.  Since  no  deviations  in 
the  mediated  game  can  give  higher  utility  than  the  Nash  equilibrium  strategy  of  using  Af ,  running 
M  must  also  be  a  Nash  equilibrium. 

It  only  remains  to  show  that  M  and  ir  induce  the  same  action  distribution;  this  follows  directly 
from  the  definition  of  secure  computation  by  considering  an  adversary  that  does  not  corrupt  any 
parties. 

I 

We  note  that  the  converse  implication  does  not  hold.  Since  the  traditional  game-theoretic  notion  of 
implementation  does  not  consider  computational  cost,  it  does  not  take  into  account  computational 
advantages  possibly  gained  by  using  M,  issues  that  are  critical  in  the  cryptographic  notion  of 
zero- knowledge  simulation. 

We  now  show  that  weak  precise  secure  computation  is  equivalent  to  strong  ^-universal  imple¬ 
mentation  for  certain  natural  classes  Q  of  games.  For  this  result,  we  assume  that  the  only  machines 
that  can  have  a  complexity  of  0  are  those  that  “do  nothing”:  we  require  that,  for  all  complexity 
functions  'if,  to(M,  v)  =  0  for  some  view  v  iff  M  =  _L  iff  'if  (M,  v)  =  0  for  all  views  v.  (Recall  that  _L 
is  a  canonical  representation  of  the  TM  that  does  nothing:  it  does  not  read  its  input,  has  no  state 
changes,  and  writes  nothing.)  If  G  =  ([m],  M,  Pr,  If,  u)  is  a  canonical  game  with  input  length  n, 
then 

1.  G  is  machine  universal  if  the  machine  set  A4  is  the  set  of  terminating  Turing  machines; 

2.  G  is  normalized  if  the  range  of  uz  is  [0, 1]  for  all  subsets  Z  of  [m]; 

3.  G  is  monotone  (i.e. ,  “players  never  prefer  to  compute  more”)  if,  for  all  subset  Z  of  [m],  all 
type  profiles  t,  action  profiles  a,  and  all  complexity  profiles  (cz,c~z),  (c^,  c~z),  if  c'z  >  cz, 
then  uz(t,a ,  (c'z,c-z))  <  Ui(t,a,  ( cz,C-Z )); 

4.  G  is  a  'if '-game  if  ctfz  =  c&'z  for  all  subsets  Z  of  [m]. 

Let  Q8  denote  the  class  of  machine-universal,  normalized,  monotone,  canonical  ^-garnes.  For  our 
theorem  we  need  some  minimal  constraints  on  the  complexity  function.  For  the  forward  direction  of 
our  equivalence  results  (showing  that  precise  secure  computation  implies  universal  implementation), 
we  require  that  honestly  running  the  protocol  should  have  constant  complexity,  and  that  it  be  the 
same  with  and  without  a  mediator.  More  precisely,  we  assume  that  the  complexity  profile  ^  is 
M- acceptable,  that  is,  for  every  subset  Z,  the  machines  {A^)hz  and  Mz  have  the  same  complexity 
Co  for  all  inputs;  that  is,  ^((A^7)^,  ■)  =  Co  and  ^(M |,  •)  =  co-9  Note  that  an  assumption  of  this 
nature  is  necessary  in  order  to  show  that  (M,comm)  is  a  ,  2,  p) -universal  implementation  of 
J7.  If  the  complexity  of  M  is  higher  than  that  of  Vr  ,  then  we  can  construct  a  game  G  such  that 
it  is  an  equilibrium  to  run  M  in  ( G,T ),  but  running  M  is  too  costly.  The  assumption  that  M 

8  The  follows  from  the  fact  that  perfectly-secure  computation  is  error- free. 

9  Our  results  continue  to  hold  if  Co  is  a  function  of  the  input  length  n,  but  otherwise  does  not  depend  on  the  view. 
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and  have  the  same  complexity  is  easily  satisfied  when  considering  coarse  complexity  function 
(where  say  the  first  T  steps  of  computation  are  free).  Another  way  of  satisfying  this  assumption 
is  to  consider  a  complexity  function  that  simply  charges  Co  for  the  use  of  the  mediator,  where  Co 
is  the  complexity  of  running  the  protocol.  Given  this  view,  universal  implementation  requires  only 
that  players  want  to  run  M  as  long  as  they  are  willing  to  pay  Co  in  complexity  for  talking  to  the 
mediator.  For  the  backward  direction  of  our  equivalence  (showing  that  universal  implementation 
implies  precise  secure  computation),  we  require  that  certain  operations,  like  moving  output  from 
one  tape  to  another,  do  not  incur  any  additional  complexity.  Such  complexity  functions  are  called 
output-invariant ;  we  provide  a  formal  definition  at  the  beginning  of  Appendix  B. 

We  can  now  state  the  connection  between  secure  computation  and  game-theoretic  implemen¬ 
tation.  In  the  forward  direction,  we  restrict  attention  to  protocols  M  computing  some  ?n-ary 
functionality  /  that  satisfy  the  following  natural  property:  if  a  subset  of  the  players  “aborts”  (not 
sending  any  messages,  and  outputting  nothing),  their  input  is  intepreted  as  A.10  More  precisely, 
M  is  an  abort-preserving  computation  of  /  if  for  all  n  E  N .  every  subset  Z  of  [m],  all  inputs 
x  E  ({0, l}n)m,  the  output  vector  of  the  players  after  an  execution  of  (_L z,M~z)  on  input  x  is 
identically  distributed  to  f(\z,x~z)- 

Theorem  4.2  (Equivalence:  Information-theoretic  case)  Suppose  that  f  is  an  m-ary  func¬ 
tionality,  T  is  a  mediator  that  computes  f,M  is  a  machine  profile  that  computes  f ,  Z  is  a  set  of 
subsets  of  [m\,  ^  is  a  complexity  function,  and  p  a  precision  function. 

•  If  is  M -acceptable  and  M  is  an  abort-preserving  weak  Z-secure  computation  of  f  with 

-precision  p  and  e-statistical  error,  then  (M,comm)  is  a  strong  [Cfi6 ,  Z,p) -universal  imple¬ 
mentation  of  T  with  error  e. 

•  If  ^  is  M-acceptable  and  output-invariant,  and  (M,  comm)  is  a  strong  ,  Z,p) -universal 

implementation  of  T  with  error  e' ,  then  for  every  e  <  e' ,  M  is  a  weak  Z-secure  computation 
of  f  with  ^ -precision  p  and  e-statistical  error. 

As  a  corollary  of  Theorem  4.2,  we  get  that  known  (precise)  secure  computation  protocols  directly 
yield  appropriate  universal  implementations,  provided  that  we  consider  complexity  functions  that 
are  M-acceptable.  For  instance,  by  the  results  of  [Ben-Or,  Goldwasser,  and  Wigderson  1988;  Micali 
and  Pass  2007],  every  efficient  m- ary  functionality  /  has  a  weak  ^-secure  computation  protocol  M 
with  ^-precision  p(n,  t)  =  t  if  cZ‘z{M,  v)  is  the  sum  of  the  running  time  of  M(v)  and  size  of  M,  and  Z 
consists  of  all  subsets  of  [m]  of  size  smaller  than  |m|/3.  This  result  still  holds  if  we  consider  “coarse” 
measures  of  running-time  and  size  where,  say,  0(nc )  computational  steps  (and  size)  correspond  to 
one  unit  of  complexity  (in  canonical  machine  games  with  input  length  n).  Furthermore,  protocol 
M  is  abort-preserving,  has  a  constant  description,  and  has  running  time  smaller  than  some  fixed 
polynomial  0{nc )  (on  inputs  of  length  n ).  So,  if  we  consider  an  appropriately  coarse  notion  of 
running  time  and  description  size,  ctoz  is  M-acceptable.  By  Theorem  4.2,  it  then  immediately  follows 
that  every  efficient  m-ary  functionality  /  has  a  strong  (Q^ ,  Z,  0(l))-universal  implementation  with 
error  0. 

Theorem  4.2  also  shows  that  a  universal  implementation  of  a  mediator  T  computing  a  function 
/  with  respect  to  general  classes  of  games  is  “essentially”  as  hard  to  achieve  as  a  secure  computa¬ 
tions  of  /.  In  particular,  as  long  as  the  complexity  function  is  output-invariant,  such  a  universal 
implementation  is  a  weak  precise  secure  computation.  Although  the  output-invariant  condition 
might  seem  somewhat  artificial,  Theorem  4.2  illustrates  that  overcoming  the  “secure-computation 

1()A11  natural  secure  computation  protocols  that  we  are  aware  of  (e.g.,  [Goldreich,  Micali,  and  Wigderson  1987; 
Ben-Or,  Goldwasser,  and  Wigderson  1988])  satisfy  this  property. 
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barrier”  with  respect  to  general  classes  of  games  requires  making  strong  (and  arguably  unnatural11) 
assumptions  about  the  complexity  function.  We  have  not  pursued  this  path.  In  Section  6,  we  in¬ 
stead  consider  universal  implementation  with  respect  to  restricted  class  of  games.  As  we  shall  see, 
this  provides  an  avenue  for  circumventing  traditional  impossibility  results  with  respect  to  secure 
computation. 

In  Section  4.2  we  also  provide  a  “computational”  analogue  of  the  equivalence  theorem  above, 
as  well  as  a  characterization  of  the  “standard”  (i.e. ,  “non-precise” )  notion  of  secure  computation. 

Proof  overview  We  now  provide  a  high-level  overview  of  the  proof  of  Theorem  4.2.  Needless  to 
say,  this  oversimplified  sketch  leaves  out  many  crucial  details  that  complicate  the  proof. 

Weak  precise  secure  computation  implies  strong  universal  implementation.  At  first  glance,  it  might 
seem  like  the  traditional  notion  of  secure  computation  of  [Goldreich,  Micali,  and  Wigderson  1987] 
easily  implies  the  notion  of  universal  implementation:  if  there  exists  some  (deviating)  strategy  A 
in  the  communication  game  implementing  mediator  T  that  results  in  a  different  distribution  over 
actions  than  in  equilibrium,  then  the  simulator  A  for  A  could  be  used  to  obtain  the  same  distri¬ 
bution;  moreover,  the  running  time  of  the  simulator  is  within  a  polynomial  of  that  of  A.  Thus, 
it  would  seem  like  secure  computation  implies  that  any  “poly” -robust  equilibrium  can  be  imple¬ 
mented.  However,  the  utility  function  in  the  game  considers  the  complexity  of  each  execution  of  the 
computation.  So,  even  if  the  worst-case  running  time  of  A  is  polynomially  related  to  that  of  A,  the 
utility  of  corresponding  executions  might  be  quite  different.  This  difference  may  have  a  significant 
effect  on  the  equilibrium.  To  make  the  argument  go  through  we  need  a  simulation  that  preserves 
complexity  in  an  execution-by-execution  manner.  This  is  exactly  what  precise  zero  knowledge 
[Micali  and  Pass  2006]  does.  Thus,  intuitively,  the  degradation  in  computational  robustness  by  a 
universal  implementation  corresponds  to  the  precision  of  a  secure  computation. 

More  precisely,  to  show  that  a  machine  profile  M  is  a  universal  implementation,  we  need  to  show 
that  whenever  A  is  a  p-robust  equilibrium  in  a  game  G  with  mediator  T ,  then  M  is  an  e-equilibrium 
(with  the  communication  mediator  comm).  Our  proof  proceeds  by  contradiction:  we  show  that  a 
deviating  strategy  M'z  (for  a  coalition  Z)  for  the  e-equilibrium  M  can  be  turned  into  a  deviating 
strategy  Mz  for  the  p-robust  equilibrium  A.  We  here  use  the  fact  that  M  is  a  weak  precise  secure 
computation  to  find  the  machine  Mz',  intuitively  Mz  will  be  the  simulator  for  M'z.  The  key  step 
in  the  proof  is  a  method  for  embedding  any  coalition  machine  game  G  into  a  distinguisher  D  that 
“emulates”  the  role  of  the  utility  function  in  G.  If  done  appropriately,  this  ensures  that  the  utility 
of  the  (simulator)  strategy  Mz  is  close  to  the  utility  of  the  strategy  M'z,  which  contradicts  the 
assumption  that  A  is  an  e-Nash  equilibrium. 

The  main  obstacle  in  embedding  the  utility  function  of  G  into  a  distinguisher  D  is  that  the 
utility  of  a  machine  Mz  in  G  depends  not  only  on  the  types  and  actions  of  the  players,  but  also 
on  the  complexity  of  running  Mz-  In  contrast,  the  distinguisher  D  does  not  get  the  complexity 
of  M  as  input  (although  it  gets  its  output  v).  On  a  high  level  (and  oversimplifying),  to  get 
around  this  problem,  we  let  D  compute  the  utility  assuming  (incorrectly)  that  Mz  has  complexity 
c  =  ^(M^v)  (i.e.,  the  complexity  of  Mz  in  the  view  v  output  by  Mz).  Suppose,  for  simplicity, 
that  Mz  is  always  “precise”  (i.e.,  it  always  respects  the  complexity  bounds).11  Then  it  follows 
that  (since  the  complexity  c  is  always  close  to  the  actual  complexity  of  Mz  in  every  execution)  the 
utility  computed  by  D  corresponds  to  the  utility  of  some  game  G  that  is  at  most  a  p-speed  up  of  G. 
(To  ensure  that  G  is  indeed  a  speedup  and  not  a  “slow-down” ,  we  need  to  take  special  care  with 

11  With  a  coarse  complexity  measure,  it  seems  natural  to  assume  that  moving  content  from  one  output  tape  to 
another  incurrs  no  change  in  complexity. 

1JThis  is  an  unjustified  assumption;  in  the  actual  proof  we  actually  need  to  consider  a  more  complicated  construc¬ 
tion. 
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simulators  that  potentially  run  faster  than  the  adversary  they  are  simulating.  The  monotonicity 
of  G  helps  us  to  circumvent  this  problem.)  Thus,  although  we  are  not  able  to  embed  G  into  the 
distinguisher  D,  we  can  embed  a  related  game  G  into  D.  This  suffices  to  show  that  A  is  not  a 
Nash  equilibrium  in  G,  contradicting  the  assumption  that  A  is  a  p-robust  Nash  equilibrium.  A 
similar  argument  can  be  used  to  show  that  _L  is  also  an  e-best  response  to  M_z  if  T  is  a  p-robust 
best  response  to  A _Zi  demonstrating  that  M  in  fact  is  a  strong  universal  implementation.  We  here 
rely  on  the  fact  M  is  abort-preserving  to  ensure  that  aborting  in  (G,  J-)  has  the  same  effect  as  in 
(G,  comm). 

Strong  universal  implementation  implies  weak  precise  secure  computation.  To  show  that  strong 
universal  implementation  implies  weak  precise  secure  computation,  we  again  proceed  by  contra¬ 
diction.  We  show  how  the  existence  of  a  distinguisher  D  and  an  adversary  M'z  that  cannot  be 
simulated  by  any  machine  Mz  can  be  used  to  construct  a  game  G  for  which  M  is  not  a  strong 
implementation.  The  idea  is  to  have  a  utility  function  that  assigns  high  utility  to  some  “simple” 
strategy  Mz.  In  the  mediated  game  with  T .  no  strategy  can  get  better  utility  than  Mz.  On  the 
other  hand,  in  the  cheap-talk  game,  the  strategy  M'z  does  get  higher  utility  than  M z .  As  D  indeed 
is  a  function  that  “distinguishes”  a  mediated  execution  from  a  cheap-talk  game,  our  approach  will 
be  to  try  to  embed  the  distinguisher  D  into  the  game  G.  The  choice  of  G  depends  on  whether 
M'z  =  A.  We  now  briefly  describe  these  games. 

If  M'z  =  _L,  then  there  is  no  simulator  for  the  machine  _L  that  simply  halts.  In  this  case, 
we  construct  a  game  G  where  using  _L  results  in  a  utility  that  is  determined  by  running  the 
distinguisher.  (Note  that  _L  can  be  easily  identified,  since  it  is  the  only  strategy  that  has  complexity 
0.)  All  other  strategies  instead  get  some  canonical  utility  d.  which  is  higher  than  the  utility  of  _L 
in  the  mediated  game.  However,  since  _L  cannot  be  “simulated” ,  playing  _L  in  the  cheap-talk  game 
leads  to  an  even  higher  utility,  contradicting  the  assumption  that  M  is  a  universal  implementation. 

If  M'z  7^  _L,  we  construct  a  game  G'  in  which  each  strategy  other  than  _L  gets  a  utility  that  is 
determined  by  running  the  distinguisher.  Intuitively,  efficient  strategies  (i.e. ,  strategies  that  have 
relatively  low  complexity  compared  to  Mz)  that  output  views  on  which  the  distinguisher  outputs 
1  with  high  probability  get  high  utility.  On  the  other  hand,  _L  gets  a  utility  d  that  is  at  least  as 
good  as  what  the  other  strategies  can  get  in  the  mediated  game  with  T.  This  makes  _L  a  best 
response  in  the  mediated  game;  in  fact,  we  can  define  the  game  G'  so  that  it  is  actually  a  p-robust 
best  response.  However,  it  is  not  even  an  e-best-response  in  the  cheap-talk  game:  M'z  gets  higher 
utility,  as  it  receives  a  view  that  cannot  be  simulated.  (The  output-invariant  condition  on  the 
complexity  function  *€  is  used  to  argue  that  M'z  can  output  its  view  at  no  cost.)  | 

4.2  Equivalences:  The  Computational  Case 

To  prove  a  “computational”  analogue  of  our  equivalence  theorem  (relating  computational  precise 
secure  computation  and  universal  implementation),  we  need  to  introduce  some  further  restrictions 
on  the  complexity  functions,  and  the  classes  of  games  considered. 

•  A  (vector  of)  complexity  functions  is  efficient  if  each  function  is  computable  by  a  (ran¬ 
domized)  polynomial-sized  circuit. 

•  A  secure  computation  game  G  =  ([m],  Pr,  u)  with  input  length  n  is  said  to  be 

T{-)-machine  universal  if 

—  the  machine  set  MT(n)  is  the  set  of  Turing  machines  implementable  by  T(ro)-sized  ran¬ 
domized  circuits,  and 

—  u  is  computable  by  a  T(n)-sized  circuit. 
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Let  Q^‘ ,T  denote  the  class  of  T(-)-machine  universal,  normalized,  monotone,  canonical  c£- 
games.  Let  poly  denote  the  union  of  Q^'T  for  all  polynomial  functions  T. 

Theorem  4.3  (Equivalence:  Computational  Case)  Suppose  that  f  is  an  m-ary  functionality, 
F  is  a  mediator  that  computes  f ,  M  is  a  machine  profile  that  computes  f ,  Z  is  a  set  of  subsets  of 
[m],  IF  is  an  efficient  complexity  function,  and  p  a  precision  function. 

•  If  IF  is  M -acceptable  and  M  is  an  abort-preserving  weak  Z-secure  computation  of  f  with 
computational  F -precision  p,  then  for  every  polynomial  T,  there  exists  some  negligible  function 
e  such  that  (M,  comm)  is  a  strong  (Cj^'T ,  Z,p) -universal  implementation  of  IF  with  error  e. 

•  If  F  is  M -acceptable  and  output-invariant,  and  for  every  polynomial  T,  there  exists  some 
negligible  function  e,  such  that  (M,  comm)  is  a  strong  (Q ^ ,  Z ,  p) -universal  implementation  of 
T  with  error  e,  then  M  is  a  weak  Z-secure  computation  of  f  with  computational  F -precision 
P- 

Theorem  4.3  is  proved  in  Appendix  C 

Relating  Universal  Implementation  and  “Standard”  Secure  Computation  Note  that 
Theorem  4.3  also  provides  a  game-theoretic  characterization  of  the  “standard”  (i.e.,  “non-precise” ) 
notion  of  secure  computation.  We  simply  consider  a  “coarse”  version  of  the  complexity  function 
wc(u)  that  is  the  sum  of  the  size  of  M  and  the  worst-case  running-time  of  M  on  inputs  of  the  same 
length  as  in  the  view  v.  (We  need  a  coarse  complexity  function  to  ensure  that  IF  is  M-acceptable  and 
output-invariant.)  With  this  complexity  function,  the  definition  of  weak  precise  secure  computation 
reduces  to  the  traditional  notion  of  weak  secure  computation  without  precision  (or,  more  precisely, 
with  “worst-case”  precision  just  as  in  the  traditional  definition).  Given  this  complexity  function, 
the  precision  of  a  secure  computation  protocol  becomes  the  traditional  “overhead”  of  the  simulator 
(this  is  also  called  knowledge  tightness  [Goldreich,  Micali,  and  Wigderson  1991]).  Roughly  speaking, 
“weak  secure  computation”  with  overhead  p  is  thus  equivalent  to  strong  (t/wc,poly,p)-universal 
implementation  with  negligible  error. 

5  Universal  Implementation  for  Specific  Classes  of  Games 

Our  equivalence  result  for  secure  computation  might  seem  like  a  negative  result.  It  demonstrates 
that  considering  only  rational  players  (as  opposed  to  adversarial  players)  does  not  facilitate  protocol 
design.  Note,  however,  that  for  the  equivalence  to  hold,  we  must  consider  implementations  universal 
with  respect  to  essentially  all  games.  In  many  settings,  it  might  be  reasonable  to  consider  imple¬ 
mentations  universal  with  respect  to  only  certain  subclasses  of  games;  in  such  scenarios,  universal 
implementations  may  be  significantly  simpler  or  more  efficient,  and  may  also  circumvent  traditional 
lower  bounds.  We  list  some  natural  restrictions  on  classes  of  games  below,  and  discuss  how  such 
restrictions  can  be  leveraged  in  protocol  design.  These  examples  illustrate  some  of  the  benefits  of  a 
fully  game-theoretic  notion  of  security  that  does  not  rely  on  the  standard  cryptographic  simulation 
paradigm,  and  shows  how  our  framework  can  capture  in  a  natural  way  a  number  of  natural  notions 
of  security. 

To  relate  our  notions  to  the  standard  definition  of  secure  computation,  we  here  focus  on  classes 
of  games  Q  that  are  subsets  of  Gwc,poly  (as  defined  in  Section  4.2).  Furthermore,  we  consider 
only  2-player  games  and  restrict  attention  to  games  G  where  the  utility  function  is  separable  in 
the  following  sense:  there  is  a  standard  game  G'  (where  computational  costs  are  not  taken  into 
account)  and  a  function  uf  on  complexity  profiles  for  each  player  i ,  such  that,  for  each  player  i, 
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ut (t,  a,c)  =  uf  (t,  a)  +  uf(c).  We  refer  to  G'  as  the  standard  game  embedded  in  G.  Intuitively,  this 
says  that  the  utilities  in  G  are  just  the  sum  of  the  utility  in  a  game  G'  where  computation  is  not 
taken  into  account  and  a  term  that  depends  only  on  computation  costs. 

Games  with  punishment:  Many  natural  situations  can  be  described  as  games  where  play¬ 
ers  can  choose  actions  that  “punish”  an  individual  player  i.  For  instance,  this  punishment 
can  represent  the  cost  of  being  excluded  from  future  interactions.  Intuitively,  games  with 
punishment  model  situations  where  players  do  not  want  to  be  caught  cheating.  Punishment 
strategies  (such  as  the  grim-trigger  strategy  in  repeated  prisoner’s  dilemma,  where  a  player 
defects  forever  once  his  opponent  defects  once  [Axelrod  1984])  are  extensively  used  in  the 
game-theory  literature.  We  give  two  examples  where  cryptographic  protocol  design  is  facil¬ 
itated  when  requiring  only  implementations  that  are  universal  with  respect  to  games  with 
punishment. 

Covert  adversaries:  As  observed  by  Malkhi  et  al.  [2004] ,  and  more  recently  formalized  by  Au- 
mann  and  Lindell  [2006]  [AL  from  now  on] ,  in  situations  were  players  do  not  want  to  be  caught 
cheating,  it  is  easier  to  construct  efficient  protocols.  Using  our  framework,  we  can  formalize 
this  intuition  in  a  straightforward  way.  To  explain  the  intuitions,  we  consider  a  particularly 
simple  setting.  Let  C/pumsh  consist  of  normalized  2-player  games  G  (with  a  standard  game 
G'  embedded  in  G),  where  (1)  honestly  reporting  your  input  and  outputting  whatever  the 
mediator  replies  (i.e.,  playing  the  strategy  implemented  by  A)  is  a  Nash  equilibrium  in  (G' ,  J-) 
where  both  players  are  guaranteed  to  get  utility  1/2  (not  just  in  expectation,  but  even  in  the 
worst-case),  and  (2)  there  is  a  special  string  punish  such  that  player  1  —  i  receives  payoff  0  in 
G  if  player  i  outputs  the  string  punish.  In  this  setting,  we  claim  that  any  secure  computation 
of  a  function  /  with  respect  to  covert  adversaries  with  deterrent  1/2  in  the  sense  of  [Aurnann 
and  Lindell  2006,  Definition  3.3]  is  a  (Qpumsh,poly,  Z)-  universal  implementation  of  J-  with 
negligible  error  (where  Z  =  {{1},{2}},  and  T  is  a  mediator  computing  /).  Roughly  speak¬ 
ing,  the  AL  definition  follows  the  traditional  definition  of  secure  computation,  but  changes 
how  the  ideal-model  trusted  party  operates.  More  precisely,  the  ideal-model  adversary,  A,  is 
given  two  new  special  messages  it  can  send  to  the  trusted  party:  cheat  and  corrupted.  If  it 
sends  corrupted,  the  trusted  party  simply  outputs  punish  to  both  players — this  amounts  to 
the  adversary  admitting  that  it  is  a  “cheater”;  if  it  sends  cheat,  then  with  probability  1/2 
the  adversary  gets  to  see  the  input  of  the  honest  player  and  to  select  the  honest  players’  out¬ 
put  (this  models  successful  undetected  cheating),  and  with  probability  1/2  the  trusted  party 
outputs  punish  to  both  players  (this  models  the  event  that  cheating  was  detected).  We  rely 
on  the  proofs  of  Theorem  B.2  and  C.l  to  show  that  this  notion  of  security  suffices  to  get  a 
universal  implementation.  For  any  strategy  M'  in  the  cheap-talk  game,  we  want  to  construct 
a  strategy  M  in  the  mediated  game  (G,  F)  (where  F  computes  /,  and  G  is  a  poly-speedup 
of  G)  with  roughly  the  same  utility  (formally,  with  utility  negligibly  close);  if  we  can  do  this, 
the  rest  of  the  proof  follows  as  in  Proposition  B.2. 

We  first  show  how  to  do  this  for  a  different  mediated  game  (G,  F),  where  G  is  a  poly-speedup 
of  G  and  F  is  a  variant  of  F  that  considers  the  extra  special  operations  considered  in  the  AL 
trusted-party  definition.  In  this  game,  we  can  simply  use  the  simulator  M  for  M' ,  letting  G 
be  a  speedup  of  G  that  takes  care  of  the  overhead  in  complexity  of  M  with  respect  to  M'\  this 
can  be  done  just  as  in  the  proof  of  Theorem  B.2,  but  is  much  simpler  as  we  here  only  consider 
worst-case  complexity.  (Recall  that  a  game  G  is  a  speedup  of  G  if  G  and  G  are  identical 
except  for  the  complexity  profiles  and  the  machine  set,  and  where  the  complexity  profile  in 
G  is  a  speedup  of  that  in  G.)  Next,  we  convert  M  into  a  machine  M  that  never  outputs  any 
of  the  special  messages  corrupt  and  cheat.  M  simply  runs  M;  if  at  any  point  M  attempts 
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to  output  a  special  message,  M  instead  (honestly)  outputs  the  input  of  the  corrupted  player 
(and  finally  outputs  whatever  the  mediator  replies).  We  first  claim  that  M  gets  at  least  as 
high  utility  as  M  in  the  standard  game  G' .  This  follows  since  honestly  outputting  the  true 
input  gives  a  utility  of  1/2  (by  definition);  on  the  other  hand,  outputting  corrupt  gives  a 
payoff  of  0,  and  outputting  cheat  gives  a  payoff  of  at  most  1/2  x  1  +  1/2  x  0.  Furthemore,  the 
overhead  in  complexity  of  M  with  respect  to  M  is  at  most  polynomial;  thus  we  can  construct 
a  game  G  that  is  at  most  a  poly-speedup  of  G  (and  thus  also  of  G )  such  that  the  utility  of 
M  in  is  at  least  that  of  M  in  ( G,F ).  This  concludes  the  proof. 

Fairness:  It  is  well-known  that,  for  many  functions,  secure  2-player  computation  where  both 
players  receive  output  is  impossible  if  we  require  fairness  (i.e. ,  that  either  both  or  neither  of 
the  players  receives  an  output)  [Goldreich  2004].  Such  impossibility  results  can  be  easily  cir¬ 
cumvented  by  considering  universal  implementation  with  respect  to  games  with  punishment. 
This  follows  from  the  fact  that  although  it  is  impossible  to  get  secure  computation  with  fair¬ 
ness,  the  weaker  notion  of  secure  computation  with  abort  [Goldwasser  and  Lindell  2002]  is 
achievable.  Intuitively,  this  notion  guarantees  that  the  only  attack  possible  is  one  where  one 
of  the  players  prevents  the  other  player  from  getting  its  output;  this  is  called  an  abort.  This 
is  formalized  by  adapting  the  trusted-party  in  the  ideal  model  to  allow  the  adversary  to  send 
a  special  abort  message  to  the  trusted  party  after  seeing  its  own  output,  which  blocks  it  from 
delivering  an  output  to  the  honest  party.  To  get  a  universal  implementation  with  respect  to 
games  with  punishment,  it  is  sufficient  to  use  any  secure  computation  protocol  with  abort  (see 
[Goldwasser  and  Lindell  2002;  Micali  and  Pass  2007])  modified  so  that  players  output  punish 
if  the  other  player  aborts.  It  immediately  follows  that  a  player  can  never  get  a  higher  utility 
by  aborting  (as  this  will  be  detected  by  the  other  player,  and  consequently  the  aborting  player 
will  be  punished).  Again,  this  is  formalized  by  showing  that  for  any  ideal-model  adversary 
that  sends  an  abort  message  to  the  trusted  party,  there  exists  some  other  adversary  (with 
essentially  the  same  complexity)  that  simply  does  not  send  the  abort  message;  this  can  only 
improve  its  utility  (since  aborting  guarantees  a  utility  of  0).  This  result  can  be  viewed  as  a 
generalization  of  the  approach  of  [Dodis,  Halevi,  and  Rabin  2000]. 13 

Strictly  monotone  games:  In  our  equivalence  results  we  considered  monotone  games,  where 
players  never  prefer  to  compute  more.  It  is  sometimes  reasonable  to  assume  that  players 
strictly  prefer  to  compute  less.  We  outline  a  few  possible  advantages  of  considering  universal 
implementations  with  respect  to  strictly  monotone  games. 

Gradual-release  protocols:  One  vein  of  research  on  secure  computation  considers  protocols  for 
achieving  fair  exchanges  using  gradual-release  protocols  (see  e.g.,  [Boneh  and  Naor  2000]).  In 
a  gradual-release  protocol,  the  players  are  guaranteed  that  if  at  any  point  one  player  aborts, 
then  the  other  player (s)  can  compute  the  output  within  a  comparable  amount  of  time  (e.g., 
we  can  require  that  if  a  player  aborts  and  can  compute  the  answer  in  t  time  units,  then  all  the 
other  players  should  be  able  to  compute  it  within  2 1  time  units).  We  believe  that  by  making 
appropriate  assumptions  about  the  utility  of  computation,  we  can  ensure  that  players  never 
have  incentives  to  deviate.  Consider,  for  instance,  a  two-player  computation  of  a  function  / 
where  in  the  last  phase  the  players  invoke  a  gradual  exchange  protocol  such  that  if  any  player 

lliFor  this  application,  it  is  not  necessary  to  use  our  game-theoretic  definition  of  security.  An  alternative  way  to 
capture  fairness  in  this  setting  would  be  to  require  security  with  respect  to  the  standard  (simulation-based)  definition 
with  abort,  and  additionally  fairness  (but  not  security)  with  respect  to  rational  agents,  according  to  the  definition 
of  [Dodis,  Halevi,  and  Rabin  2000;  Halpern  and  Teadgue  2004];  this  approach  is  similar  to  the  one  used  by  Kol 
and  Naor  [2008].  Our  formalization  is  arguably  more  natural,  and  also  considers  rational  agents  that  “care”  about 
computation. 
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aborts  during  the  gradual  exchange  protocol,  the  other  players  attempts  to  recover  the  secret 
using  a  brute-force  search.  Intuitively,  if  for  each  player  the  cost  of  computing  t  extra  steps 
is  positive,  even  if  the  other  player  computes,  say,  2 t  extra  steps,  it  will  never  be  worth  it  for 
a  player  to  abort:  by  the  security  of  the  gradual- release  protocol,  an  aborting  player  can  only 
get  its  output  twice  as  fast  as  the  other  player.  Note  that  merely  making  assumptions  about 
the  cost  of  computing  does  not  suffice  to  make  this  approach  work;  we  also  need  to  ensure 
that  players  prefer  getting  the  output  to  not  getting  it,  even  if  they  can  trick  other  players 
into  computing  for  a  long  time.  Otherwise,  a  player  might  prefer  to  abort  and  not  compute 
anything,  while  the  other  player  attempts  to  compute  the  output.  We  leave  a  full  exploration 
of  this  approach  for  future  work. 

Error-free  implementations:  Unlike  perfectly-secure  protocols,  computationally-secure  pro¬ 
tocols  protocols  inherently  have  a  nonzero  error  probability.  For  instance,  secure  2-player 
computation  can  be  achieved  only  with  computational  security  (with  nonzero  error  prob¬ 
ability).  By  our  equivalence  result,  it  follows  that  strong  universal  implementations  with 
respect  to  the  most  general  classes  of  2-player  games  also  require  nonzero  error  probability. 
Considering  universality  with  respect  to  only  strictly  monotone  games  gives  an  approach  for 
achieving  error-free  implementations.  This  seems  particularly  promising  if  we  consider  an 
idealized  model  where  cryptographic  functionalities  (such  as  one-way  functions)  are  modeled 
as  black  boxes  (see,  e.g.,  the  random  oracle  model  of  Bellare  and  Rogaway  [1993]),  and  the 
complexity  function  considers  the  number  of  calls  to  the  cryptographic  function.  Intuitively, 
if  the  computational  cost  of  trying  to  break  the  cryptographic  function  is  higher  than  the 
expected  gain,  it  is  not  worth  deviating  from  the  protocol.  We  leave  open  an  exploration  of 
this  topic.  (A  recent  paper  by  Micali  and  Shelat  [2009]  relies  on  this  idea,  in  combination 
with  physical  devices,  to  acheive  error-free  implementations  in  the  context  of  secret  sharing.) 

Using  computation  as  payment.  Shoham  and  Tennenholtz  [Shoharn  and  Tennenholtz  2005] 
have  investigated  what  functions  /  of  two  players’  inputs  x\,X2  can  be  computed  by  the 
players  if  they  have  access  to  a  trusted  party.  The  players  are  assumed  to  want  to  get  the 
output  y  =  f(x  1,^2),  but  each  player  i  does  not  want  to  reveal  more  about  his  input  Xj  than 
what  can  be  deduced  from  y.  Furthermore,  each  player  i  prefers  that  other  players  do  not  get 
the  output  (although  this  is  not  as  important  as  i  getting  the  output  and  not  revealing  its 
input  X',;) .  Interestingly,  as  Shoham  and  Tennenholtz  point  out,  the  simple  binary  function 
AND  cannot  be  truthfully  computed  by  two  players,  even  if  they  have  access  to  a  trusted 
party.  A  player  that  has  input  0  always  knows  the  output  y  and  thus  does  not  gain  anything 
from  providing  its  true  input  to  the  trusted  party:  in  fact,  it  always  prefers  to  provide  the 
input  1  in  order  to  trick  the  other  player. 

We  believe  that  for  strictly  monotone  games  this  problem  can  be  overcome  by  the  use  of 
cryptographic  protocols.  The  idea  is  to  construct  a  cryptographic  protocol  for  computing 
AND  where  the  players  are  required  to  solve  a  computational  puzzle  if  they  want  to  use  1 
as  input;  if  they  use  input  0  they  are  not  required  to  solve  the  puzzle.  The  puzzle  should 
have  the  property  that  it  requires  a  reasonable  amount  of  computational  effort  to  solve.  If 
this  computational  effort  is  more  costly  than  the  potential  gain  of  tricking  the  other  player 
to  get  the  wrong  output,  then  it  is  not  worth  it  for  a  player  to  provide  input  1  unless  its 
input  actually  is  1.  To  make  this  work,  we  need  to  make  sure  the  puzzle  is  “easy”  enough  to 
solve,  so  that  a  player  with  input  1  will  actually  want  to  solving  the  puzzle  in  order  to  get 
the  correct  output.  We  leave  a  full  exploration  of  this  idea  for  future  work. 

More  generally,  we  believe  that  combining  computational  assumptions  with  assumptions  about 
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utility  will  be  a  fruitful  line  of  research  for  secure  computation.  For  instance,  it  is  conceivable 
that  difficulties  associated  with  concurrent  executability  of  protocols  could  be  alleviated  by  making 
assumptions  regarding  the  cost  of  message  scheduling;  the  direction  of  Cohen,  Kilian,  and  Petrank 
[2001]  (where  players  who  delay  messages  are  themselves  punished  with  delays)  seems  relevant  in 
this  regard. 

6  Directions  for  Future  Research 

We  have  provided  a  game-theoretic  definitin  of  protocol  security,  and  shown  a  close  connection 
between  computationally  robust  Nash  equilibria  and  precise  secure  computation.  This  opens  the 
door  to  a  number  of  exciting  research  directions  in  both  secure  computation  and  game  theory.  We 
describe  a  few  here: 

•  Our  notion  of  universal  implementation  uses  Nash  equilibrium  as  solution  concept.  It  is 
well  known  that  in  (traditional)  extensive  form  games  (i.e.,  games  defined  by  a  game  tree), 
a  Nash  equilibrium  might  prescribe  non-optimal  moves  at  game  histories  that  do  no  occur 
on  the  equilibrium  path.  This  can  lead  to  “empty  threats”:  “punishment”  strategies  that 
are  non-optimal  and  thus  not  credible.  Many  recent  works  on  implementation  (see  e.g., 
[Gerardi  2004;  Izmalkov,  Lepinski,  and  Micali  2008])  therefore  focus  on  stronger  solution 
concepts  such  as  sequential  equilibrium  [Kreps  and  Wilson  1982].  We  note  that  when  taking 
computation  into  account,  the  distinction  between  credible  and  non-credible  threats  becomes 
more  subtle:  the  threat  of  using  a  non-optimal  strategy  in  a  given  history  might  be  credible 
if,  for  instance,  the  overall  complexity  of  the  strategy  is  smaller  than  any  strategy  that  is 
optimal  at  every  history.  Thus,  a  simple  strategy  that  is  non-optimal  off  the  equilibrium 
path  might  be  preferred  to  a  more  complicated  (and  thus  more  costly)  strategy  that  performs 
better  off  the  equilibrium  path  (indeed,  people  often  use  non-optimal  but  simple  “rules-of- 
thurnbs”  when  making  decisions);  see  [Halpern  and  Pass  2008]  for  more  details.  Finding  a 
good  definition  of  empty  threats  in  games  with  computation  costs  seems  challenging. 

•  As  we  have  seen,  universal  implementation  is  equivalent  to  a  variant  of  precise  secure  com¬ 
putation  with  the  order  of  quantification  reversed.  It  would  be  interesting  to  find  a  notion  of 
implementation  that  corresponds  more  closely  to  the  standard  definition,  without  a  change 
in  the  order  of  quantifier;  in  particular,  whereas  the  traditional  definition  of  zero-knowledge 
guarantees  deniability  (i.e.,  the  property  that  the  interaction  does  not  leave  any  “trace”),  the 
new  one  does  not.  Finding  a  game-theoretic  definition  that  also  captures  deniability  seems 
like  an  interesting  question. 

•  A  natural  next  step  would  be  to  introduce  notions  of  computation  in  the  epistemic  logic. 
There  has  already  been  some  work  in  this  direction  (see,  for  example,  [Halpern,  Moses,  and 
Tuttle  1988;  Halpern,  Moses,  and  Vardi  1994;  Moses  1988]).  We  believe  that  combining  the 
ideas  of  this  paper  with  those  of  the  earlier  papers  will  allow  us  to  get,  for  example,  a  cleaner 
knowledge-theoretic  account  of  zero  knowledge  than  that  given  by  Halpern,  Moses,  and  Tuttle 
[1988].  A  first  step  in  this  direction  is  taken  in  [Halpern,  Pass,  and  Raman  2009]. 
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Appendix 


A  Precise  Secure  Computation 

In  this  section,  we  review  the  notion  of  precise  secure  computation  [Micali  and  Pass  2006;  Micali 
and  Pass  2007],  which  is  a  strengthening  of  the  traditional  notion  of  secure  computation  [Goldreich, 
Micali,  and  Wigderson  1987].  We  consider  a  system  where  players  are  connected  through  secure 
(i.e.,  authenticated  and  private)  point-to-point  channels.  We  consider  a  malicious  adversary  that  is 
allowed  to  corrupt  a  subset  of  the  m  players  before  the  interaction  begins;  these  players  may  then 
deviate  arbitrarily  from  the  protocol.  Thus,  the  adversary  is  static,  it  cannot  corrupt  players  based 
on  history. 

An  m-ary  functionality  is  specified  by  a  random  process  that  maps  vectors  of  inputs  to  vectors  of 
outputs  (one  input  and  one  output  for  each  player).  That  is,  formally,  /  :  (({0,  l}*)m  x  {0, 1}°°)  — ► 
({0,  l}*)m  and  /  =  (/i, . . .  ,/m).  We  often  abuse  notation  and  suppress  the  random  bitstring  r, 
writing  f{x)  or  fi(x).  (We  can  think  of  f(x)  and  fi{x)  as  random  variables.)  A  machine  profile 
M  computes  f  if  for  all  n  G  N,  all  inputs  x  G  ({0,  l}n)m  the  output  vector  of  the  players  after  an 
execution  of  M  on  input  x  (where  Mi  gets  input  xf)  is  identically  distributed  to  fn(x).  As  usual, 
the  security  of  protocol  M  for  computing  a  function  /  is  defined  by  comparing  the  real  execution  of 
M  with  an  ideal  execution  where  all  players  directly  talk  to  a  trusted  third  party  (i.e.,  a  mediator) 
computing  /.  In  particular,  we  require  that  the  outputs  of  the  players  in  both  of  these  executions 
cannot  be  distinguished,  and  additionally  that  the  view  of  the  adversary  in  the  real  execution  can 
be  reconstructed  by  the  ideal-execution  adversary  (called  the  simulator).  Additionally,  precision 
requires  that  the  running-time  of  the  simulator  in  each  run  of  the  ideal  execution  is  closely  related 
to  the  running  time  of  the  real-execution  adversary  in  the  (real-execution)  view  output  by  the 
simulator. 

The  ideal  execution  Let  /  be  an  m- ary  functionality.  Let  A  be  a  probabilistic  polynomial¬ 
time  machine  (representing  the  ideal-model  adversary)  and  suppose  that  A  controls  the  players  in 
Z  C  [m].  We  characterize  the  ideal  execution  of  f  given  adversary  A  using  a  function  denoted 
ideal j  £  that  maps  an  input  vector  x,  an  auxiliary  input  z,  and  a  tuple  (r^,  rf)  G  ({0, 1}°°)2  (a 

random  string  for  the  adversary  A  and  a  random  string  for  the  trusted  third  party)  to  a  triple 
(x,  y,  v ),  where  y  is  the  output  vector  of  the  players  1, ...  ,m,  and  v  is  the  output  of  the  adversary 
A  on  its  tape  given  input  (z,x,r^),  computed  according  to  the  following  three-stage  process. 

In  the  first  stage,  each  player  i  receives  its  input  xt .  Each  player  i  Z  next  sends  xi  to  the 
trusted  party.  (Recall  that  in  the  ideal  execution,  there  is  a  trusted  third  party.)  The  adversary 
A  determines  the  value  x\  G  {0,1}*  a  player  i  G  Z  sends  to  the  trusted  party.  We  assume  that 
the  system  is  synchronous,  so  the  trusted  party  can  tell  if  some  player  does  not  send  a  message;  if 
player  i  does  not  send  a  message  i  is  taken  to  have  sent  A.  Let  x'  be  the  vector  of  values  received 
by  the  trusted  party.  In  the  second  stage,  the  trusted  party  computes  y*  =  fi(x',rf)  and  sends  y* 
to  Pi  for  every  i  G  [m].  Finally,  in  the  third  stage,  each  player  i  ^  Z  outputs  the  value  y*  received 
from  the  trusted  party.  The  adversary  A  determines  the  output  of  the  players  i  G  Z.  A  finally  also 
outputs  an  arbitrary  value  v  (which  is  supposed  to  be  the  “reconstructed”  view  of  the  real-execution 
adversary  A).  Let  view^.  ^{x,  z,  r)  denote  the  the  view  of  A  in  this  execution.  We  occasionally  abuse 
notation  and  suppress  the  random  strings,  writing  ideal^  ^fx,  z)  and  view^  ^(x,  z);  we  can  think 
of  ideal j[(x,  z)  and  view^  ^(x,  z)  as  random  variables. 

14A  common  relaxation  requires  only  that  the  output  vectors  are  statistically  close.  All  our  results  can  be  modified 
to  apply  also  to  protocols  that  are  satisfy  only  such  a  “statistical”  notion  of  computation. 
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The  real  execution  Let  /  be  an  m- ary  functionality,  let  II  be  a  protocol  for  computing  /,  and 
let  A  be  a  machine  that  controls  the  same  set  Z  of  players  as  A.  We  characterize  the  real  execution 
of  II  given  adversary  A  using  a  function  denoted  REALn,A  that  maps  an  input  vector  x.  an  auxiliary 
input  z,  and  a  tuple  r  £  ({0,  ( m  —  \Z\  random  strings  for  the  players  not  in  Z  and  a 

random  string  for  the  adversary  A),  to  a  triple  (x,  y ,  v),  where  y  is  the  output  of  players  1 , ,m, 
and  v  is  the  view  of  A  that  results  from  executing  protocol  II  on  inputs  x,  when  players  i  £  Z  are 
controlled  by  the  adversary  A,  who  is  given  auxiliary  input  z.  As  before,  we  often  suppress  the 
vector  of  random  bitstrings  r  and  write  REALn,A(x,  z). 

We  now  formalize  the  notion  of  precise  secure  computation.  For  convenience,  we  slightly  gen¬ 
eralize  the  definition  of  [Micali  and  Pass  2006]  to  consider  general  adversary  structures  [Hirt  and 
Maurer  2000].  More  precisely,  we  assume  that  the  specification  of  a  secure  computation  protocol 
includes  a  set  Z  of  subsets  of  players,  where  the  adversary  is  allowed  to  corrupt  only  the  players  in 
one  of  the  subsets  in  Z\  the  definition  of  [Micali  and  Pass  2006;  Goldreich,  Micali,  and  Wigderson 
1987]  considers  only  threshold  adversaries  where  Z  consists  of  all  subsets  up  to  a  pre-specified  size 

k.  We  first  provide  a  definition  of  precise  computation  in  terms  of  running  time,  as  in  [Micali  and 
Pass  2006],  although  other  complexity  functions  could  be  used;  we  later  consider  general  complexity 
functions. 

Let  steps  be  the  complexity  function  that,  on  input  a  machine  M  and  a  view  v,  roughly 
speaking,  gives  the  number  of  “computational  steps”  taken  by  M  in  the  view  v.  In  counting 
computational  steps,  we  assume  a  representation  of  machines  such  that  a  machine  M,  given  as 
input  an  encoding  of  another  machine  A  and  an  input  x,  can  emulate  the  computation  of  A  on 
input  x  with  only  linear  overhead.  (Note  that  this  is  clearly  the  case  for  “natural”  memory-based 
models  of  computation.  An  equivalent  representation  is  a  universal  Turing  machine  that  receives 
the  code  it  is  supposed  to  run  on  one  input  tape.) 

In  the  following  definition,  we  say  that  a  function  is  negligible  if  it  is  asymptotically  smaller 
than  the  inverse  of  any  fixed  polynomial.  More  precisely,  a  function  v  :  IN  — >  M  is  negligible  if,  for 
all  c  >  0,  there  exists  some  nc  such  that  v{n)  <  n~c  for  all  n  >  nc. 

Roughly  speaking,  a  computation  is  secure  if  the  ideal  execution  cannot  be  distinguished  from 
the  real  execution.  To  make  this  precise,  a  distinguisher  is  used.  Formally,  a  distinguisher  gets  as 
input  a  bitstring  z,  a  triple  (x,  y,  v )  (intuitively,  the  output  of  either  IDEAL ^  ^  or  REALn.A  on  ( x ,  z) 
and  some  appropriate-length  tuple  of  random  strings)  and  a  random  string  r,  and  outputs  either  0  or 

l.  As  usual,  we  typically  suppress  the  random  bitstring  and  write,  for  example,  D(z,  ideal  ^(x,  z)) 
or  D(z,  REALn,A(^j  z))- 


Definition  A.l  (Precise  Secure  Computation)  Let  f  be  an  m-ary  function,  II  a  protocol  com¬ 
puting  f ,  Z  a  set  of  subsets  of  [m\,  p  :  IN  x  JN  — >  JN,  and  e  :  JN  — ►  1R.  Protocol  II  is  a  Z- secure 
computation  of  /  with  precision  p  and  e-statistical  error  if,  for  all  Z  £  Z  and  every  real-model 
adversary  A  that  controls  the  players  in  Z,  there  exists  an  ideal-model  adversary  A,  called  the  sim¬ 
ulator,  that  controls  the  players  in  Z  such  that,  for  all  n  £  N ,  all  x  =  (aq, . . .  ,xm)  £  ({0,  l}n)m, 
and  all  z  £  {0, 1}*,  the  following  conditions  hold: 

1.  For  every  distinguisher  D, 


Pi :u[D(z,  REALn,A(x,  z)) 


1]  -  Pr u[D(z,  ideal f  ^(x,z))\ 


1  <  e(n). 


2.  Prc/[STEPS(A,  viewy  ^(x,  z))  <  p(n,  STEPS(A,  A(view^  ^(x,  z))])  =  l.15 

15Note  that  the  three  occurrences  of  Pry  in  the  first  two  clauses  represent  slightly  different  probability  measures, 
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n  is  a  insecure  computation  of  /  with  precision  p  and  (T,  e)-computational  error  if  it  satisfies  the 
two  conditions  above  with  the  adversary  A  and  the  distinguisher  D  restricted  to  being  computable 
by  a  TM  with  running  time  bounded  by  T(-). 

Protocol  II  is  a  insecure  computation  of  /  with  statistical  precision  p  if  there  exists  some 
negligible  function  e  such  that  II  is  a  Z -secure  computation  of  f  with  precision  p  and  e- statistical 
error.  Finally,  protocol  II  is  a  insecure  computation  of  /  with  computational  precision  p  if  for 
every  polynomial  T,  there  exists  some  negligible  function  e  such  that  II  is  a  Z- secure  computation 
of  f  with  precision  p  and  (T,  e)-  computational  error. 

The  traditional  notion  of  secure  computation  is  obtained  by  replacing  condition  2  with  the  require¬ 
ment  that  the  worst-case  running-time  of  A  is  polynomially  related  to  the  worst-case  running  time 
of  A. 

The  following  theorems  were  provided  by  Micali  and  Pass  [2007,  2006],  using  the  results  of 
Ben-Or,  Goldwasser  and  Wigderson  [1988]  and  Goldreich,  Micali  and  Wigderson  [1987].  Let  Zf1 
denote  all  the  subsets  of  [m]  containing  t  or  less  elements.  An  m- ary  functionality  /  is  said  to  be 
well-formed  if  it  essentially  ignores  arguments  that  are  not  in  ({0,  l}n)m  for  some  n.  More  precisely, 
if  there  exist  j,  j'  such  that  \xj\  ^  \xj>\,  then  fi{x)  =  A  for  all  i  E  [m].  (See  [Goldreich  2004,  p.  617] 
for  motivation  and  more  details.) 

Theorem  A. 2  For  every  well-formed  m-ary  functionality  f,  there  exists  a  precision  function  p 
such  that  p(n,t )  =  Oft )  and  a  protocol  II  that  Z7^nj3^_1-securely  computes  f  with  precision  p  and 
0 -statistical  error. 

This  result  can  also  be  extended  to  more  general  adversary  structures  by  relying  on  the  results  of 
[Hirt  and  Maurer  2000].  We  can  also  consider  secure  computation  of  specific  2-party  functionalities. 

Theorem  A. 3  Suppose  that  there  exists  an  enhanced  trapdoor  permutation .1(>  For  every  well- 
formed  2-ary  functionality  f  where  only  one  party  gets  an  output  (i.e.,  /i(-)  =  0 ),  there  exists  a 
a  precision  function  p  such  that  pfn,t )  =  Oft )  and  protocol  II  that  Z^-securely  computes  f  with 
computational-precision  p. 

Micali  and  Pass  [2006]  also  obtain  unconditional  results  (using  statistical  security)  for  the  special 
case  of  zero-knowledge  proofs.  We  refer  the  reader  to  [Micali  and  Pass  2006;  Pass  2006]  for  more 
details. 

A.l  Weak  Precise  Secure  Computation 

Universal  implementation  is  not  equivalent  to  precise  secure  computation,  but  to  a  (quite  natural) 
weakening  of  it.  Weak  precise  secure  computation,  which  we  are  about  to  define,  differs  from  precise 
secure  computation  in  the  following  respects: 

•  Just  as  in  the  traditional  definition  of  zero  knowledge  [Goldwasser,  Micali,  and  Rackoff  1989], 
precise  zero  knowledge  requires  that  for  every  adversary,  there  exists  a  simulator  that,  on  all 
inputs,  produces  an  interaction  that  no  distinguisher  can  distinguish  from  the  real  interaction. 
This  simulator  must  work  for  all  inputs  and  all  distinguishers.  In  analogy  with  the  notion 
of  “weak  zero  knowledge”  [Dwork,  Naor,  Reingold,  and  Stockmeyer  2003],  we  here  switch 

although  this  is  hidden  by  the  fact  that  we  have  omitted  the  superscripts.  The  first  occurrence  of  Pr^  should  be 
Pr™- lZl+3>  since  we  are  taking  the  probability  over  the  m  +  2  —  \Z\  random  inputs  to  REAL/, a  and  the  additional 
random  input  to  D;  similarly,  the  second  and  third  occurrences  of  Prj/  should  be  Pr^. 

16  See  [Goldreich  2004]  for  a  definition  of  enhanced  trapdoor  permutations;  the  existence  of  such  permutations  is 
implied  by  the  ’’standard”  hardness  of  factoring  assumptions. 
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the  order  of  the  quantifiers  and  require  instead  that  for  every  input  distribution  Pr  over 
x  G  ({0, 1  }n)m  and  z  G  {0, 1}*,  and  every  distinguisher  D,  there  exists  a  (precise)  simulator 
that  “tricks”  D\  in  essence,  we  allow  there  to  be  a  different  simulator  for  each  distinguisher. 
As  argued  by  Dwork  et  al.  [2003],  this  order  of  quantification  is  arguably  reasonable  when 
dealing  with  concrete  security.  To  show  that  a  computation  is  secure  in  every  concrete  setting, 
it  suffices  to  show  that,  in  every  concrete  setting  (where  a  “concrete  setting”  is  characterized 
by  an  input  distribution  and  the  distinguisher  used  by  the  adversary),  there  is  a  simulator. 

•  We  further  weaken  this  condition  by  requiring  only  that  the  probability  of  the  distinguisher 
outputting  1  on  a  real  view  be  (essentially)  no  higher  than  the  probability  of  outputting  1 
on  a  simulated  view.  In  contrast,  the  traditional  definition  requires  these  probabilities  to  be 
(essentially)  equal.  If  we  think  of  the  distinguisher  outputting  1  as  meaning  that  the  adversary 
has  learned  some  important  feature,  then  we  are  saying  that  the  likelihood  of  the  adversary 
learning  an  important  feature  in  the  real  execution  is  essentially  no  higher  than  that  of  the 
adversary  learning  an  important  feature  in  the  “ideal”  computation.  This  condition  on  the 
distinguisher  is  in  keeping  with  the  standard  intuition  of  the  role  of  the  distinguisher. 

•  We  allow  the  adversary  and  the  simulator  to  depend  not  only  on  the  probability  distribution, 
but  also  on  the  particular  security  parameter  n  (in  contrast,  the  definition  of  [Dwork,  Naor, 
Reingold,  and  Stockmeyer  2003]  is  uniform).  That  is  why,  when  considering  weak  precise 
secure  computation  with  (T,  e)-computational  error,  we  require  that  the  adversary  A  and  the 
simulator  D  be  computable  by  circuits  of  size  at  most  T(n)  (with  a  possibly  different  circuit 
for  each  n),  rather  than  a  Turing  machine  with  running  time  T(n).  Again,  this  is  arguably 
reasonable  in  a  concrete  setting,  where  the  security  parameter  is  known. 

•  We  also  allow  the  computation  not  to  meet  the  precision  bounds  with  a  small  probability. 
The  obvious  way  to  do  this  is  to  change  the  requirement  in  the  definition  of  precise  secure 
computation  by  replacing  1  by  1  —  e,  to  get 

Pr[/[STEPS(A,  view^(x,  z))  <  p(n,  STEPS(A,  A(view^(x,  z))]  >  1  —  e(n), 

where  n  is  the  input  length.  We  change  this  requirement  in  two  ways.  First,  rather  than  just 
requiring  that  this  precision  inequality  hold  for  all  x  and  z,  we  require  that  the  probability 
of  the  inequality  holding  be  at  least  1  —  e  for  all  distributions  Pr  over  x  G  ({0, l}n)m  and 
*€{0,1}*. 

The  second  difference  is  to  add  an  extra  argument  to  the  distinguisher,  which  tells  the  distin¬ 
guisher  whether  the  precision  requirement  is  met.  In  the  real  computation,  we  assume  that 
the  precision  requirement  is  always  met,  thus,  whenever  it  is  not  met,  the  distinguisher  can 
distinguish  the  real  and  ideal  computations.  We  still  want  the  probability  that  the  distin¬ 
guisher  can  distinguish  the  real  and  ideal  computations  to  be  at  most  e(n).  For  example,  our 
definition  disallows  a  scenario  where  the  complexity  bound  is  not  met  with  probability  e(n)/2 
and  the  distinguisher  can  distinguish  the  computations  with  (without  taking  the  complexity 
bound  into  account)  with  probability  e(n)/2. 

•  In  keeping  with  the  more  abstract  approach  used  in  the  definition  of  robust  implementation, 
the  definition  of  weak  precise  secure  computation  is  parametrized  by  the  abstract  complexity 
measure  ^ ,  rather  than  using  steps.  This  just  gives  us  a  more  general  definition;  we  can 
always  instantiate  *€  to  measure  running  time. 

Definition  A. 4  (Weak  Precise  Secure  Computation)  Let  f,  II,  Z ,  p,  and  e  be  as  in  the  def¬ 
inition  of  precise  secure  computation,  and  let  ^  be  a  complexity  function.  Protocol  II  is  a  weak 
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insecure  computation  of  /  with  ^-precision  p  and  e-statistical  error  if,  for  all  n  E  N,  all  Z  E  Z ,  all 
real- execution  adversaries  A  that  control  the  players  in  Z,  all  distinguishers  D,  and  all  probability 
distributions  Pr  over  ({0,  l}n)m  x  {0, 1}*,  there  exists  an  ideal- execution  adversary  A  that  controls 
the  players  in  Z  such  that 

Pr+({(£,  z)  :  D(z,  REALn, A(x,z),  1)  =  1}) 

-Pr  +({(x,z)  :  D(z,  ideal^  ^(x,  z),  precise^^^(n,  view^.  ^(x,  z)))  =  1})  <  e(n), 

where  precise^  A  ^(n,  v )  =  1  if  and  only  if  c£z(A,v)  <  p(n,^z(A,A{v))).Vi  II  is  a  weak  iJ-secure 

computation  of  /  with  ^-precision  p  and  (T,  e)-computational  error  if  it  satisfies  the  condition 
above  with  the  adversary  A  and  the  distinguisher  D  restricted  to  being  computable  by  a  randomized 
circuit  of  size  T(n).  Protocol  II  is  a  iJ-weak  secure  computation  of  /  with  statistical  ^-precision 
p  if  there  exists  some  negligible  function  e  such  that  II  is  a  Z-weak  secure  computation  of  f  with 
precision  p  and  statistical  e- error.  Finally,  Protocol  II  is  a  iJ-weak  secure  computation  of  /  with 
computational  "^-precision  p  if  for  every  polynomial  T(-),  there  exists  some  negligible  function  e 
such  that  II  is  a  Z-weak  secure  computation  of  f  with  precision  p  and  (T,e)- computational  error. 

Our  terminology  suggests  that  weak  precise  secure  computation  is  weaker  than  precise  secure 
computation.  This  is  almost  immediate  from  the  definitions  if  ^(M,  v)  =  STEPS (M,v)  for  all 
Z  £  Z.  A  more  interesting  setting  considers  a  complexity  measure  that  can  depend  on  steps(M,  v) 
and  the  size  of  the  description  of  M.  It  directly  follows  by  inspection  that  Theorems  A. 2  and  A. 3 
also  hold  if,  for  example,  cti>z(M,  v)  =  STEPS (M,v)  +  0{\M\)  for  all  Z  e  Z,  since  the  simulators  in 
those  results  incur  only  a  constant  additive  overhead  in  size.  (This  is  not  a  coincidence.  As  argued 
in  [Micali  and  Pass  2006;  Pass  2006],  the  definition  of  precise  simulation  guarantees  the  existence 
of  a  “universal”  simulator  S,  with  “essentially”  the  same  precision,  that  works  for  every  adversary 
A,  provided  that  S  also  gets  the  code  of  A;  namely  given  a  real-execution  adversary  A,  the  ideal- 
execution  adversary  A  =  S(A).18  Since  \S\  =  0(1),  it  follows  that  |A|  =  |S|  +  |A|  =  0(|A|).)  That 
is,  we  have  the  following  variants  of  Theorems  A. 2  and  A. 3: 

Theorem  A. 5  For  every  well-formed  m-ary  functionality  f,  cifz(M,  v)  =  steps (M,v)  +  0(\M\) 
for  all  sets  Z ,  there  exists  a  precision  function  p  such  that  p(n,  t)  =  Oft)  and  a  protocol  II  that 
weak  Z™mm _  1  -securely  computes  f  with  ‘rf  -precision  p  and  0- statistical  error. 

Theorem  A. 6  Suppose  that  there  exists  an  enhanced  trapdoor  permutation,  and  Z'ziM,  v)  = 
STEPS(Af,  v)  +  0(\M\)  for  all  sets  Z.  For  every  well-formed  2-ary  functionality  f  where  only  one 
party  gets  an  output  (i.e.,  fi(-)  =  X),  there  exists  a  precision  function  p  such  that  p(n,t )  =  0(t) 
and  a  protocol  II  that  weak  Z\ -securely  computes  f  with  computational  cto  -precision  p. 

It  is  easy  to  see  that  the  theorems  above  continue  to  hold  when  considering  “coarse”  versions 
of  the  above  complexity  functions,  where,  say,  n 2  computational  steps  (or  size)  correspond  to  one 
unit  of  complexity  (in  canonical  machine  game  with  input  length  n). 

B  Proof  of  Theorem  4.2 

In  this  section,  we  prove  Theorem  4.2.  Recall  that  for  one  direction  of  our  main  theorem  we  require 
that  certain  operations,  like  moving  output  from  one  tape  to  another,  do  not  incur  any  additional 
complexity.  We  now  make  this  precise. 

^Recall  that  Pr+  denotes  the  product  of  Pr  and  Pry  (here,  the  first  Pr+  is  actually  pr+(m+'5Hzh;  while  the  second 
is  Pr+3). 

lsThis  follows  by  considering  the  simulator  S  for  the  universal  TM  (which  receives  the  code  to  be  executed  as 
auxiliary  input). 
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Recall  that  in  the  definition  of  a  secure  computation,  the  ideal-execution  adversary,  Mz,  is  an 
algorithm  that  controls  the  players  in  Z  and  finally  provides  an  output  for  each  of  the  players  it 
controls  and  additionally  produces  an  output  of  its  own  (which  is  supposed  to  be  the  reconstructed 
view  of  the  real-execution  adversary) .  Roughly  speaking,  a  complexity  function  is  output-invariant 
if  Mz  can  “shuffle”  content  between  its  tapes  at  no  cost. 

Definition  B.l  A  complexity  function  T?  is  output-invariant  if,  for  every  set  Z  of  players,  there 
exists  some  canonical  player  iz  G  Z  such  that  the  following  three  conditions  hold: 

1.  (Outputting  view)  For  every  machine  Mz  controlling  the  players  in  Z,  there  exists  some 
machine  M'z  with  the  same  complexity  as  Mz  such  that  the  output  of  M'z{v)  is  identical  to 
Mz(v )  except  that  player  iz  outputs  y;  v,  where  y  is  the  output  of  iz  in  the  execution  of  Mz(v) 
(i.e.,  M'z  is  identical  to  Adz  with  the  only  exception  being  that  player  iz  also  outputs  the  view 
°f  M'z). 

2.  (Moving  content  to  a  different  tape)  For  every  machine  Mz  controlling  players  Z ,  there 
exists  some  machine  Adz  with  the  same  complexity  as  Mz  such  that  the  output  of  Mz{v)  is 
identical  to  M'z(v)  except  if  player  iz  outputs  y,v'  for  some  v'  G  {0, 1}*  in  the  execution  of 
M'z(v) .  In  that  case,  the  only  difference  is  that  player  iz  outputs  only  y  and  Mz{v)  outputs 
v'. 

3.  (Duplicating  content  to  another  output  tape)  For  every  machine  M'z  controlling  play¬ 
ers  Z,  there  exists  some  machine  Mz  with  the  same  complexity  as  Mz  such  that  the  output 
of  Mz(v)  is  identical  to  M'z(v)  except  if  player  iz  outputs  y,v'  for  some  v'  G  {0,1}*  in  the 
execution  of  M'z(v).  In  that  case,  the  only  difference  is  that  Mz{v )  outputs  v' . 

Note  that  the  only  difference  between  condition  2  and  3  is  that  in  condition  2,  player  iz  only  outputs 
y,  whereas  in  condition  3  it  still  outputs  its  original  output  y\  v' . 

We  stress  that  we  need  to  consider  output-invariant  complexity  functions  only  to  show  that 
universal  implementation  implies  precise  secure  computation. 

We  now  prove  each  direction  of  Theorem  4.2  separately,  to  make  clear  what  assumptions  we 
need  for  each  part.  We  start  with  the  “only  if”  direction. 

Theorem  B.2  Let  M,  f ,  F,  Z  be  as  in  the  statement  of  Theorem  f.2,  and  let  <Z>  be  an  M -acceptable 
complexity  function.  If  M  is  an  abort-preserving  weak  Z-secure  computation  of  f  with  -precision 
p  and  error  e,  then  (Af,  comm)  is  a  strong  ,  Z ,p) -universal  implementation  of  F  with  error  e. 

Proof:  Suppose  that  M  is  a  weak  ^-secure  computation  of  /  with  ^-precision  p  and  e-statistical 
error.  Since  M  computes  /,  for  every  game  G  G  G% ,  the  action  profile  induced  by  M  in  {G,  comm)  is 
identically  distributed  to  the  action  profile  induced  by  vV  in  (G,  F).  We  now  show  that  (A/,  comm) 
is  a  (G^ ,  .2}  p) -universal  implementation  of  F  with  error  e. 

Claim  B.3  (Af,comm)  is  a  ,  Z,p) -universal  implementation  of  F  with  error  e. 

Proof:  Let  G  G  GY;  be  a  game  with  input  length  n  such  that  M  is  a  p(n ,  -)-robust  iJ-safe 
equilibrium  in  (G,  F).  We  show  that  M  is  a  iJ-safe  e  (n)  -equilibrium  in  (G,  comm).  Recall  that  this 
is  equivalent  to  showing  that  no  coalition  of  players  Z  G  Z  can  increase  their  utility  by  more  than 
e(n)  by  deviating  from  their  prescribed  strategies.  In  other  words,  for  all  Z  G  Z  and  machines  M'z , 
we  need  to  show  that 


T7-(G,comm) 
U  Z 


(Mz,  M-Z)  <  uf'comm\Mbz,M_z)  +  e(n). 
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Suppose,  by  way  of  contradiction,  that  there  exists  some  machine  M'z  such  that 

V(G,  comm)(M,,  >  ^G,  comm)^^  +  (1) 

We  now  obtain  a  contradiction  by  showing  that  there  exists  some  other  game  G  that  is  at  most  a 
p(n,  -)-speedup  of  G  and  a  machine  Mz  such  that 

uf'T\Mz,lT_z)  >  AT)hz,AT_z).  (2) 

This  contradicts  the  assumption  that  A ^  is  a  p-robust  equilibrium. 

Note  that  the  machine  M'z  can  be  viewed  as  a  real-execution  adversary  controlling  the  players 
in  Z.  The  machine  Mz  will  be  defined  as  the  simulator  for  M'z  for  some  appropriately  defined  input 
distribution  Pr  on  T  x  {0, 1}*  and  distinguisher  D.  Intuitively,  Pr  will  be  the  type  distribution  in 
the  game  G  (where  z  is  nature’s  type),  and  the  distinguisher  D  will  capture  the  utility  function 
uz.  There  is  an  obvious  problem  with  using  the  distinguisher  to  capture  the  utility  function:  the 
distinguisher  outputs  a  single  bit,  whereas  the  utility  function  outputs  a  real.  To  get  around  this 
problem,  we  define  a  probabilistic  distinguisher  that  outputs  1  with  a  probability  that  is  determined 
by  the  expected  utility;  this  is  possible  since  the  game  is  normalized,  so  the  expected  utility  is 
guaranteed  to  be  in  [0, 1].  We  also  cannot  quite  use  the  same  distribution  for  the  machine  M  as 
for  the  game  G.  The  problem  is  that,  if  G  G  Q  is  a  canonical  game  with  input  length  n,  the  types 
in  G  have  the  form  x;  z ,  where  x  G  {0,  l}n.  The  protocol  A f  in  (G,  comm)  ignores  the  z,  and  sends 
the  mediator  the  x.  On  the  other  hand,  in  a  secure  computation,  the  honest  players  provide  their 
input  (i.e.,  their  type)  to  the  mediator.  Thus,  we  must  convert  a  type  xf,  Zi  of  a  player  i  in  the 
game  G  to  a  type  x  for  Af . 

More  formally,  we  proceed  as  follows.  Suppose  that  G  is  a  canonical  game  with  input  length  n, 
and  the  type  space  of  G  is  T.  Given  t  =  (aq;  z\, . . , ,  xn;  zn,tiy )  G  T,  define  t°  by  taking  tf  =  aq;  Zi 
if  i  G  Z,  tf  =  Xi  if  i  Z,  and  if  =  tjv;  z  1; . . . ;  zrn.  Say  that  (x,  z)  is  acceptable  if  there  is  some 
(necessarily  unique)  t  G  T,  z  =  tf; . . . ;  if;  if,  and  x  =  (if,...,  if).  If  (x,  z)  is  acceptable,  let 
tgz  be  the  element  of  T  determined  this  way.  If  Pr^  is  the  probability  distribution  over  types, 
Pr(a?,  z)  =  Pr c{tx,z)  if  (%>z)  is  acceptable,  and  Pr (x,z)  =  0  otherwise. 

Define  the  probabilistic  distinguisher  D  as  follows:  if  precise  =  0  or  (x,  z)  is  not  accept¬ 
able,  then  D(z,(x,y,  view),  precise)  =  0;  otherwise  D(z,(x,y,  view),  precise)  =  1  with  probability 
uz  (ts,z ,  y ,  ^z  ( M'z ,  vi ew) ,  Co _ z ) . 

Since  we  can  view  Mz  as  a  real-execution  adversary  controlling  the  players  in  Z,  the  definition 
of  weak  precise  secure  computation  guarantees  that,  for  the  distinguisher  D  and  the  distribution 
Pr  described  above,  there  exists  a  simulator  Mz  such  that 

Pr+({(x,  z)  :  D(z,  REAL^M^  (x,  z),  1)  =  1}) 

-Pr+({(f,z)  :  D(z,  iDEAhf  ^z(x,  z),prec\seZ  M,z  A-Iz(n,v\ew f  Kiz(x,  z))  =  1})  <  e(n). 

We  can  assume  without  loss  of  generality  that  if  Mz  sends  no  messages  and  outputs  nothing,  then 
Mz  =  -L.  (This  can  only  make  its  complexity  smaller  and  thus  make  D  output  1  more  often.) 

We  next  define  a  new  complexity  function  to  that,  by  construction,  will  be  at  most  a  p(n,  •)- 
speedup  of  Intuitively,  this  complexity  function  will  consider  the  speedup  required  to  make  up 
for  the  “overhead”  of  the  simulator  Mz  when  simulating  Mz.  To  ensure  that  the  speedup  is  not 
too  large,  we  incur  it  only  on  views  where  the  simulation  by  M z  is  “precise”.  Specifically,  let  the 
complexity  function  'if  be  identical  to  “if,  except  that  if  preciseZM,  £Iz{n,  v)  =  1  and  ^( Mz,v )  > 
^(Mf,u),  where  v  is  the  view  output  by  Mz(v),  then  (iz(Mz,  v)  =  ZJz{M'z,  v).  (Note  that  v  is  a 


32 


view  for  the  ideal  execution.  M'z  runs  in  the  real  execution,  so  we  need  to  give  it  as  input  the  view 
output  by  Mz  given  view  v,  namely  v.  Recall  that  the  simulator  Mz  is  trying  to  reconstruct  the 
view  of  M'z.  Also,  note  that  we  did  not  define  if  <£>( Mz ,v)  <  ^(M^,u), 

for  then  c£z  would  not  be  a  speedup  of  c€z.  Finally,  to  ensure  that  <ioZ  assigns  0  complexity  only  to 
_L,  as  is  required  for  a  complexity  function.  Note  that  if  M'z  =  A  then,  without  loss  of  generality, 
Mz  =  A  as  well;  this  directly  follows  from  the  fact  that  M  is  abort-preserving.)  By  construction, 
ctfz  is  at  most  a  p(n,  -)-speedup  of  c/fz.  Let  G  be  identical  to  G  except  that  the  complexity  function 

is  .  It  is  immediate  that  G  is  at  most  a  p(n,  -)-speedup  of  G. 

We  claim  that  it  follows  from  the  definition  of  D  that 

uf'T){MzXT-z)  >  Pr+({(®,z)  :  D(z,  IDEAL^  mz{x,  z),  precise^  j^z(n,  view^.  ^(x,  z)))  =  1}). 

(4) 

To  see  this,  let  az(t,r)  (resp.,  at(t,r ))  denote  the  output  that  Mz  places  on  the  output  tapes  of 
the  players  in  Z  (resp.,  the  output  of  player  %  £  Z)  when  the  strategy  profile  (MZ,A^Z)  is  used 
with  mediator  T,  the  type  profile  is  t,  and  the  random  strings  are  r.  (Note  that  these  outputs  are 
completely  determined  by  t  and  r.)  Similarly,  let  view  &  (t,r)  and  view  \x{t,r)  denote  the  views 
of  the  adversary  and  player  i  (j  Z  in  this  case. 

Since  each  type  profile  t  G  T  is  tgz  for  some  (x,  z),  and  Pr^i.^)  =  Pr(x,  z),  we  have 

uf^(Mz,  Afz) 

=  Prc(L  r)uz(t,  ( az(t,  r),  a- z(t,r)),  {ciz{ Mz ,  view^z(t,  r}),  ^-Z(A^Z,  view-Z(t,r)))) 

=  Ex>,fPr+(^>  ^  r)uz{tgiZ:  {az(tg!Z,r),a-z(t3iZ,  r)),  (tfz(Mz,  view^z(tg;Z,  r)),  c0_z)). 

In  the  third  line,  we  use  the  fact  that  viewi(t,r))  =  ^(A f,  viewi(t,r ))  =  co  for  all  i  ^  Z, 

since  ^  is  M-acceptable.  Thus,  it  suffices  to  show  that,  for  all  x,  z,  and  r, 

uz(tSjZ,  (az(t£jZ,r),a-Z(t^z,  f)),^(Mz,  view^z(tgjZ,r)),c0_z) 

>  Ptv(D(z, lBEALf^z(x, z, r), predseZjM, z^z(n, \/\&Nf^(x, z, f)))  =  1). 

This  inequality  clearly  holds  if  precise^  M,  ^(n,view^  j^(x,z),r)  =  0,  since  in  that  case  the  right- 
hand  side  is  0.19  Next  consider  the  case  when  precise^  M,  ^(n,  view j  mz{x,  z,r))  =  1.  In  this  case, 
by  the  definition  of  D,  the  right-hand  side  equals 

uz{t3jZ,  (az(tg>z,r),a-Z(ts,z,  r)),  (tfz(Mz,  vz(tgjZ,  r)),c0_z)), 

where  vz(tgjZ,r)  =  Mz(view ^  (tg>z,r))  (i.e.,  the  view  output  by  Mz).  By  the  definition  of it  fol¬ 
lows  that  when  ^Z{MZ,  view  ^z(tgiZ,  r))  >  # 'z(Mz,vz(tg}Z,f ))  and  precise^^ ^z(n,  view^  ^z{x,  z,  r)) 
1,  then  ^Z(MZ,  view  ^lz(tgtZ,  r))  =  ctfz{M'z,  vz(tg>z)).  and  (5)  holds  with  >  replaced  by  =.  On  the 
other  hand,  when  ZJz ( Mz ,  view  ^ (tgz ,  r) )  <  ^fz(M^,vz(tg!Z,rJ),  then  tfz(Mz,  view Mz(tg>z,r))  = 

^ziMz,  view Mz(tgjZ,  r)),  and  thus  tfz(Mz,vz(tg,z,r))  >  tfz(Mz,view j^z(tgjZ,r));  (5)  then  holds 
by  the  nronotonicity  of  uz. 

Similarly,  we  have  that 

Pr+({(®,  z)  ■  D(z,REAL^  M,z(x,z),l)  =  1})  =  U(z,comm\M'z,M-Z).  (6) 

19Note  that  we  here  rely  on  the  fact  that  G  is  ^-natural  and  hence  normalized,  so  that  the  range  of  uz  is  [0, 1], 
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In  more  detail,  a  similar  argument  to  that  for  (4)  shows  that  it  suffices  to  show  that,  for  all  x,  z, 
and  f, 


uz(t$,z,  az(tSjZ,  f),  a-Z(t$jZ,  r),  wewM- (^,r)),f_z(M_z,  viewM-Z{tgjZ,r))) 

=  u(D(z,  RE AL M, z(x,  z,  r),  1)  =  1), 

where  az(t,r),  a,i(t,r),  viewM'z(t,r),  and  viewMi(t,r)  are  appropriately  defined  outputs  and  views 

in  an  execution  of  ( Mz,M'z )■  Since  C  is  M-acceptable,  ff-ziM-z,  view M-Z(tx,z>r))  =  c0-z>  and 
Equation  6  follows. 

It  now  follows  immediately  from  (3),  (4),  and  (6)  that 

uf'r)(Mz,  A T_z)  >  M-z)  -  e(n).  (7) 

Combined  with  (1),  this  yields 

uf'T\MzX-z)  >  uf’comm)(Mbz ,  M-z)-  (8) 

Since  M  and  T  both  compute  /  (and  thus  must  have  the  same  distribution  over  outcomes),  it 
follows  that 

Uf'  ™\MbZlM-Z)  =  uf'T\(kT)hz,l-z)  =  uf'T\{kT)hz,  1T_Z).  (9) 

For  the  last  equality,  recall  that  G  is  identical  to  G  except  for  the  complexity  of  MZ  (and  hence 
the  utility  of  strategy  profiles  involving  Mz ) ■  Thus,  the  last  equality  follows  once  we  show  that 
(A^)z  ^  Mz-  This  follows  from  the  various  technical  assumptions  we  have  made.  If  (k^)bz  =  Mz , 
then  Mz  sends  no  messages  (all  the  messages  sent  by  to  the  communication  mediator  are 
ignored,  since  they  have  the  wrong  form),  and  does  not  output  anything  (since  messages  from  the 
communication  mediator  are  not  signed  by  J~).  Thus,  Mz  acts  like  _L.  By  assumption,  this  means 
that  Mz  =  -1,  so  Mz  ^  (A-^)^. 

From  (8)  and  (9),  we  conclude  that 

uf'T\Mz,kT-Z)  >  uf'T\{AT)bz,AT_z), 

which  gives  the  desired  contradiction.  | 

It  remains  to  show  that  (M,comm)  is  also  a  strong  (Q^,Z,p)- universal  implementation  of  T 
with  error  e.  That  is,  if  T  is  a  p(n,  -)-best  response  to  A'F_Z  in  (G,  T )  then  _L  an  e-best  response  to 
M-z  in  (G,  comm).  Suppose,  by  way  of  contradiction,  that  there  exists  some  Mz  such  that 

Uf'  comm)(i\4,M_z)  >  uf’comm\A,M-Z)  +  e(n).  (10) 

It  follows  using  the  same  proof  as  in  Claim  B.3  (see  Equation  7)  that  there  exists  a  game  G  that 
is  at  most  a  p(n,  •)  speedup  of  G  and  a  machine  Mz  such  that 

uf'T\Mz,AT_z)  >  Uf'  ~\a:M-Z)  -  e(n). 

Combined  with  (10),  this  yields 

uf'T\Mz,AT_z)  >  uf'comm\A,M-Z).  (11) 
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Since  M  is  an  abort-preserving  computation  of  /  and  T  computes  /  (and  thus  must  have  the  same 
distribution  over  outcomes),  it  follows  that 

=  uf'T\z,lT_z)  =  uf'T\z,!T_z).  (12) 

The  last  equality  follows  as  in  the  proof  of  Claim  B.3,  since  G  is  identical  to  G  except  for  the 
complexity  of  Mz.  Combining  11  and  12  we  have 

uf'T\MzXT-Z )  >  uf'T\z,kT_z). 

But  this  contradicts  the  assumption  that  _L  is  a  p(n ,  -)-robust  best  response  to  A ^z  in  I 

We  now  prove  the  “if”  direction  of  Theorem  4.2.  For  this  direction,  we  need  the  assumption 
that  is  output-invariant.  Moreover,  we  get  a  slightly  weaker  implication:  we  show  only  that 
for  every  e,  e'  such  that  e'  <  e  it  holds  that  strong  universal  implementation  with  error  e'  implies 
weak  secure  computation  with  error  e.  (After  proving  this  result,  we  introduce  some  additional 
restrictions  on  ^  that  suffice  to  prove  the  implication  for  the  case  when  e'  =  e.)  However,  we  no 
longer  need  the  assumption  that  M  is  abort-preserving. 

Theorem  B.4  Suppose  that  M,f,T,Z  are  as  above,  e'  <  e,  and  <H>  is  an  M -acceptable  output- 
invariant  complexity  function.  If  (Af,comm)  is  a  strong  ,  Z,p) -universal  implementation  of  T 
with  error  e' ,  then  M  is  a  weak  Z -secure  computation  of  f  with  -precision  p  and  error  e. 

Proof:  Let  ( M ,  comm)  be  a  (QY' ,  Z,  p)-universal  implementation  of  T  with  error  e(-).  We  show  that 
M  ^-securely  computes  /  with  ^-precision  p{-.  •)  and  error  e(-).  Suppose,  by  way  of  contradiction, 
that  there  exists  some  n  E  IN,  a  distribution  Pr  on  ({0,  l}n)m  X  {0,1}*,  a  subset  Z  E  Z,  a 
distinguisher  D,  and  a  machine  M'z  E  A4  that  controls  the  players  in  Z  such  that  for  all  machines 
MZ, 

Pr+({(T,z)  :  D{z,REAL^m,z(x,z),1)  =  1}) 

-  Pr+({(x,  z)  :  D(z,  lDEALf  lQ[z(x,  z),prec\sez  M,z  Mz(n,\/\ew f  Kiz(x,  z)  =  1)))  >  e(n). 

To  obtain  a  contradiction  we  consider  two  cases:  M'z  =  1  or  M'z  T. 

Case  1:  M'z  =  T.  We  define  a  game  G  E  Q  ^  such  that  A -^_z  is  a  p-robust  ^-safe  equilibrium  in 
the  game  (G,  IF),  and  show  that 

Xjf' ~\M’ZlM-Z)  >  +  e(n), 

which  contradicts  the  assumption  that  M  is  a  (Q,  2,p)-universal  implementation  of  T. 

Intuitively,  G  is  such  that  the  strategy  _L  (which  is  the  only  one  that  has  complexity  0)  gets  a 
utility  that  is  determined  by  the  probability  with  which  the  distinguisher  D  outputs  1  (on  input 
the  type  and  action  profile).  On  the  other  hand,  all  other  strategies  (i.e.,  all  strategies  with  positive 
complexity)  get  the  same  utility  d.  If  d  is  selected  so  that  the  probability  of  D  outputting  1  in 
(' G,J ■)  is  at  most  d,  it  follows  that  TV  is  a  p-robust  Nash  equilibrium.  However,  _L  will  be  a 
profitable  deviation  in  (G, comm). 

In  more  detail,  we  proceed  as  follows.  Let 

d  =  Pr+({(x,  z)  :  D(z,  ideal j  j_ (x,  z),  1)  =  1}).  (14) 
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Consider  the  game  G  =  ([m],  A4,  Pr,  ’if,  u),  where  uz'{t ,  a,  c)  =  0  for  all  Z'  f  Z  and 


uz((h,  ■  ■  ■ ,  tm ,  Cv),  a,  (cz,  c_z)) 


Pr[/(£)(tAr,  ((ti, . . .  A),  1)  =  1)  if  cz  =  0 

d  otherwise, 


where,  as  before,  Pr;/  is  the  uniform  distribution  on  {0, 1}°°  (ZTs  random  string).  It  follows  from 
the  definition  of  D  (and  the  fact  that  only  _L  can  have  complexity  0)  that,  for  all  games  G  that  are 

speedups  of  G  and  all  machines  Mz, 

Since  Mz  f  _L  (since  Z?  is  M-acceptable  and  M  thus  has  complexity  co  >  0),  we  conclude  that 
is  ap-robust  Z-safe  Nash  equilibrium.  In  contrast  (again  since  M|  f  _L),  U^’comm\Mz,  M-z)  = 
d.  But,  since  M'z  =  _L  by  assumption,  we  have 

uf’  comm\z,M_z) 

=  uf’comm)(M'z,M_z) 

=  Pr+({(x,  z)  :  D(z,  REAL^M^(f,  z),  1)  =  1}) 

>  d  +  e(n )  [by  (13)  and  (14)], 


which  is  a  contradiction. 


Case  2:  Mz  f  Z.  To  obtain  a  contradiction,  we  first  show  that,  without  loss  of  generality,  Mz 
lets  one  of  the  players  in  Z  output  the  view  of  Mz.  Next,  we  define  a  game  G  G  such  that  _L 
is  a  p(n,  -)-best  response  to  Kfz  in  (G,iF).  We  then  show  that 

uf'  comm)(M^,M_z)  >  4G’comm)(T,M_z)  +  e(n), 

which  contradicts  the  assumption  that  M  is  a  strong  (Q,  Z,p)-universal  implementation  of  T  with 
error  e’  <  e. 

To  prove  the  first  step,  note  that  by  the  first  condition  in  the  definition  of  output-invariant,  there 
exists  some  canonical  player  iz  G  Z  and  a  machine  Mz  controlling  the  players  in  Z  with  the  same 
complexity  as  Mz  such  that  the  output  of  Mz(v )  is  identical  to  Mz(v),  except  that  player  iz  outputs 
y\  v,  where  y  is  the  output  of  iz  in  the  execution  of  Mz(v).  We  can  obtain  a  counterexample  with 
Mz  just  as  well  as  with  Mz  by  considering  the  distinguisher  D '  which  is  defined  identically  to  D ,  ex¬ 
cept  that  if  yiz  =  y\  v'  for  some  v'  G  {0, 1}*,  then  D\z ,  (x,  y,  v), precise)  =  D(z,  (x,  if,  v'),  precise), 
where  if  is  identical  to  y  except  that  y[z  =  y.  Consider  an  adversary  M'z.  We  claim  that 


Pr+({(T,  z)  :  D'(z,REALtf  M,,(Z,z),l)  =  1}) 

-  Pr+({(x,  z)  :  D'(z,  ideal, ^  (x,  z),  precise  z  M,  (n,viewfJg, 

J  ’  Z  5  Z 5  Z  J  5  z 

By  definition  of  D'  and  Mz .  it  follows  that 


(x,z)))  =  1})  >  e(n). 

(15) 


Pr+({(x,  z)  :  D{z,REAE^  M,z(x,z),l)  =  1})  =  Pr+({(x,T)  :  D’{z,  REAL^  M„(x,  z),  1)  =  1}). 

(16) 

By  the  second  condition  of  the  definition  of  output-invariant,  there  exists  a  machine  Mz  with 
the  same  complexity  as  M'z  such  that  the  output  of  Mz(v)  is  identical  to  M'z(v)  except  that  if 
player  iz  outputs  y\  v'  for  some  v'  G  {0, 1}*  in  the  execution  by  M'z[v),  then  it  outputs  only  y  in 
the  execution  by  Mz(v );  furthermore,  Mz(v)  outputs  v'  on  its  own  output  tape  (representing  the 
reconstructed  view  of  M'z).  It  follows  that 


Pr+({(x,z)  :  ZT(z,  ideal,  (x,z),  precise^  ^ ,(n,  view,  ^,(x,  z)))  =  1}) 

=  Pr+({(x,z)  :  T»(z,lDEAL/^(x,z),preciseZ;M,  ^z(n,vieW/^(x,z)))  =  1}). 


(17) 
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Equation  (15)  is  now  immediate  from  (13),  (16),  and  (17). 

We  now  define  a  game  G  £  Q*’  such  that  _L  is  a  p(n,  -)-robust  best  response  to  A^z  in  (G,iF), 
but  _L  is  not  an  e-best  response  to  M_z  in  (G,  comm).  Intuitively,  G  is  such  that  simply  playing 
_L  guarantees  a  high  payoff.  However,  if  a  coalition  controlling  Z  can  provide  a  view  that  cannot 
be  “simulated”,  then  it  receives  an  even  higher  payoff.  By  definition,  it  will  be  hard  to  find  such 
a  view  in  the  mediated  game.  However,  by  our  assumption  that  M  is  not  a  secure  computation 
protocol,  it  is  possible  for  the  machine  controlling  Z  to  obtain  such  a  view  in  the  cheap-talk  game. 

In  more  detail,  we  proceed  as  follows.  Let 

d=  sup  Pr+({(x,z):D(z,lDE,ALf^z(x,z),prec\seZM,Mz{n,\/\ewf^z(x,z)))  =  l}).  (18) 

Mze  M 


Consider  the  game  G  =  ([m],  M,  Pr,  If,  u),  where  uz'{t,  a,  c)  =  0  for  all  Z'  /  Z  and 


uz(t,a,c) 


d  if  cz  =  0 

<  Pru(D(tN,  ((H,  •  ■  •  ,tm),d,v),  1)  =  1)  if  aiz  =y;v,  0  <p(n,cz)  <  p{n^z{M'z,v)) 
0  otherwise. 


Clearly,  G  €  Q* . 

Claim  B.5  _L  is  a  p(n,  •)- robust  best  response  to  AJLZ  in  (G,  J-). 


Proof:  Suppose,  by  way  of  contradiction,  that  there  exists  some  game  G  with  complexity  profile 
G  that  is  at  most  a  p(n,  -)-speedup  of  G  and  a  machine  Mz  such  that 

uf'T\M*z,l-z)  >  tT_z).  (19) 

It  is  immediate  from  (19)  that  Mz  ^  _L.  Thus,  it  follows  from  the  definition  of  complexity  func¬ 
tions  that  ff(Mz,v)  ^  0  for  all  v  £  {0,1}*.  That  means  that  when  calculating  U^,:F\MZ,  A^z), 
the  second  or  third  conditions  in  the  definition  of  uz  must  apply.  Moreover,  the  second  condi¬ 
tion  applies  on  type  (x,  z)  only  if  aiz  has  the  form  y;  v  and  0  <  p(n,  ctoz{Mz,  viewpM*  (%,  z))  < 
p(n,Z?z{M'z,v)).  Since  ^  is  at  most  a  p-speedup  of  “if,  the  latter  condition  implies  that  0  < 
v\e\N z))  <  p(n,  ^(M^,  u)).  Hence,  U^!,'F\mz,  A^z)  is  at  most 

Pr+({(x,2:)  :  D(z,  ideal'/m*  (x,  z),  precise'^/^ (n,  view/iM|(f,  2;)))  =  1}), 

where  ideal 'j  m*  defined  identically  to  ideal,  except  that  yiz  (the  output  of  player  iz)  is  parsed 
as  y;  v,  and  v  is  taken  as  the  output  of  M*z  (representing  the  reconstructed  view  of  Mz)-,  analogously, 
precise'  is  defined  just  as  precise  except  that  v  is  taken  as  the  view  of  M'z  reconstructed  by  Mz  (if 

1Hz  =  Viv)-  Since  ^z{ -L,u)  =  0  for  all  v,  the  definition  of  uz  guarantees  that  [/^G’^(T,  A^z)  =  d. 
It  thus  follows  from  (19)  that 

uf'T\M*z,AT_z)  >  d. 

Thus, 

Pr+({(f,z)  :  D(z,  lDEAh'f z),  precise' ZjM>z>M*(n,  view z)))  =  1})  >  d. 

The  third  condition  of  the  definition  of  output-invariant  complexity  implies  that  there  must  exist 
some  M*z  such  that 

Pr+({(£,z)  :  D(z, lDEALfM**(x,  z),prec\seZM, view z)))  =  1})  >  d, 
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which  contradicts  (18).  Thus,  7r  is  a  p-robust  ^-equilibrium  of  (G,IF).  | 

Since  (M,comm)  is  a  strong  (Q^,Z,p)- universal  implementation  of  J-  with  error  e,  and  _L  is  a 
p(n,  -)-robust  best  response  to  A^z  in  (G,  IF),  it  must  be  the  case  that  _L  is  an  e-best  response  to 
M_z  in  (G,  comm).  However,  by  definition  of  uz,  we  have  that 

l/f°mm)(M',M_Z) 

=  Ef> Pr+(£  r)uz(t,  M'z(view M'z{t,r)),  M-z{view j^_z{t,f))Xz{Mz,  viewM'z(t,r),tf-Z(M-Z,  view^_z(t,r))) 
=  Pr+({(f,z)  :  D(z,  REALjg  M^(n,  x,  z),  1)  =  1}) 

where  view  M'z(t,r)  (resp.,  view  ^  (t,r ))  denotes  the  view  of  Mz  (resp.  M~z)  when  the  strategy 

profile  (Mz,  M~z)  is  used  with  mediator  comm.  The  second  equality  follows  from  the  fact  that 
player  iz  outputs  the  view  of  M'z.  Recall  that  (13)  holds  (with  strict  inequality)  for  every  machine 
Mz.  It  follows  that 

uf'comm\M’z,M-z) 

=  Pr  +({(x,z)  :  D(z,KEALfiiM,z(x,z),l)  =  1}) 

>  suPj^gM  Pr+({(x,  z)  :  D(z,  IDEAL f^z(x,z),prec\seZM,z  Mz{n,  view Lmz(x,z)  =  l)))  +  e(n) 

=  d  +  e(n) 

(20) 

where  the  last  equality  follows  from  (18). 

Since  U^'comm\-L,  M_z)  =  d,  this  is  a  contradiction.  This  completes  the  proof  of  the  theorem. 

I 

Note  that  if  the  set 

S  =  {Pr+({(x,z)  :  D(z,  IDEAL f  ^z(x,  z),prec\seZM,z  ^z(n,v\e\N f  ^z(x,  z)))  =  1)  :  M  G  M} 

has  a  maximal  element  d,  then  by  (13),  equation  (20)  would  hold  with  strict  inequality,  and  thus 
theorem  B.4  would  hold  even  if  e'  =  e.  We  can  ensure  this  by  introducing  some  additional  technical 
(but  natural)  restrictions  on  CS>.  For  instance,  suppose  that  ^  is  such  that  for  every  complexity 
bound  c,  the  number  of  machines  that  have  complexity  at  most  c  is  finite,  i.e. ,  for  every  c  G  JV, 
there  exists  some  constant  N  such  that  \{M  G  M  :  3v  G  {0,1}*  ^(M, v)  <  c}|  =  N.  Under  this 
assumption  S  is  finite  and  thus  has  a  maximal  element. 

C  Proof  of  Theorem  4.3 

We  again  separate  out  the  two  directions  of  the  proof. 

Theorem  C.l  LetM,f,iF,Z  be  as  above,  and  let  ‘if  be  an  M -acceptable  efficient  complexity  func¬ 
tion,  and  p  a  precision  function.  If  (M,comm)  is  an  abort-preserving  weak  Z-secure  computation 
of  f  with  computational  -precision  p,  then  for  every  polynomial  T ,  there  exists  some  negligible 
function  e  such  that  M  is  a  strong  (Cffi T ,  Z ,  p) -universal  implementation  of  J-  with  error  e. 

Proof  Sketch:  The  proof  follows  the  same  lines  as  that  of  Theorem  B.2.  Assume  that  M  computes 
/  with  computational  ^-precision  p.  Since  M  computes  /,  it  follows  that  for  every  polynomial  T 
and  game  G  G  QYl  ,T,  the  action  profile  induced  by  M  in  (G,  comm)  is  identically  distributed  to  the 
action  profile  induced  by  A ^  in  (G,J-).  We  now  showl  that,  for  every  polynomial  T,  there  exists 
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some  negligible  function  e  such  that  (M,  comm)  is  a  (G*  'T ,  -Z,p) -universal  implementation  of  T 
with  error  e.  Assume,  by  way  of  contradiction,  that  there  exists  polynomials  T  and  g  and  infinitely 
many  n  E  N  such  that  the  following  conditions  hold: 

•  there  exists  some  game  G  €  G^,T  with  input  length  n  such  that  A ^  is  a  p(n,  -)-robust  Z- safe 
equilibrium  in  (G, A); 

•  there  exists  some  machine  Mz  £  such  that 

uf' comm)(j\4, M-z)  >  uf'comm\Mhz , M_z)  +  — (21) 

9\n) 


It  follows  using  the  same  proof  as  in  Theorem  B.2  that  this  contradicts  the  weak  secure  computation 
property  of  M.  To  apply  this  proof,  we  need  to  make  sure  that  the  distinguisher  D  constructed 
can  be  implemented  by  a  polynomial-sized  circuit.  However,  since  by  our  assumption  is  efficient 
and  u  is  T(-)-sized  computable,  it  follows  that  D  can  be  constructed  efficiently.  We  also  need  to 
verify  that  the  “simulator”  algorithm  Mz  is  a  valid  strategy  in  G.  At  first  sight,  this  seems  to  be 
a  problem,  since  the  size  of  Mz  might  be  bigger  than  T(n).  Note,  however,  that  the  definition  of 
robust  Nash  equilibrium  lets  us  consider  any  game  G  that  is  identical  to  G  except  for  the  complexity 
profile  and  the  machine  set  A4.  In  particular,  if  we  let  the  machine  set  Af  in  G  be  the  full  set  of 
machines  M  (just  as  it  was  in  the  proof  of  Theorem  B.2),  we  ensure  that  M  is  a  valid  strategy  in 
G  (although  it  might  not  be  one  in  G). 

Strong  universal  implementation  follows  in  an  analogous  way.  | 

Theorem  C.2  Let  M,  f,J-,Z  be  as  above,  leftf  be  a  M -acceptable  output-invariant  efficient  com¬ 
plexity  function,  and  let  p  be  an  efficient  precision  function.  If,  for  every  polynomial  T,  there  exists 
some  negligible  function  e  such  that  (M,comm)  is  a  (Q* ,T ,  Z,p) -universal  implementation  of  T 
with  error  e,  then  M  is  a  weak  Z -secure  computation  of  f  with  computational  *£ -precision  p . 


Proof  Sketch:  Suppose,  by  way  of  contradiction,  that  there  exist  polynomials  T  and  g  such  that 
for  infinitely  many  n  €  N,  there  exists  a  distribution  Pr  on  ({0,  l}™)"1  x  {0, 1}*,  a  subset  Z  £  Z,  a 
T(n) -sized  distinguisher  D,  and  a  T(?r)-sized  machine  M'z  £  J\4T(n>  that  controls  the  players  in  Z 
such  that,  for  all  machines  Mz  (not  necessarily  T(n)-bounded), 


Pr+({(f,  z)  :  D(z,  BEAL^  fx,  z),  1)  =  1}) 


-  Pr+({(x,  z)  :  D(z,lDEALf  ^z(x,z),prec\seZM,z  ^z{n,\/\e\Nf  ^z(x,z)  =  1)))  > 


(22) 


Consider  any  such  n.  As  in  the  proof  of  Theorem  B.4,  we  consider  two  cases:  Mz  =  1  or 
M'  ^  _L.  In  both  cases,  we  construct  a  game  G  that  contradicts  the  assumption  that  M.  is  a  strong 
universal  implementation.  The  first  thing  that  needs  to  be  changed  is  that  we  need  to  prove  that 
the  game  G  constructed  is  in  Q%  ,T  for  some  polynomial  T1 .  That  is,  we  need  to  prove  that  u  can 
be  computed  by  poly-sized  circuits  (given  than  D  is  poly-size  computable).  We  do  not  know  how 
to  show  that  the  actual  utility  function  uz  constructed  in  the  proof  of  Proposition  B.4  can  be  made 
efficient.  However,  for  each  polynomial  g' ,  we  can  approximate  it  to  within  an  additive  term  of 
using  polynomial-sized  circuits  (by  using  repeated  sampling  of  D(tw,  ((ti, . . . ,  tm),a ,  v),  1)  to 
determine  an  estimate  of  Pr[/(Z)(fjv,  ((ti,  •  •  ■  ,tm),a,v),  1)  =  1),  and  by  receiving  an  estimate  of  d 
as  non-uniform  advice).  This  is  sufficient  to  show  that  there  exists  some  T'  >  T  such  that  we  can 
approximate  u  to  within  an  additive  term  of  , )  , ,  while  ensuring  that  G  £  G  ^’T'  ■  Additionally,  we 
need  to  make  sure  that  the  algorithm  Mz  is  a  valid  strategy  in  G;  this  easily  follows  since  Mz  is 
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T(n)-bounded,  and  T'  >  T.  Taken  together,  it  follows  using  the  same  proof  as  in  Proposition  B.4 
that  there  exists  some  polynomial  g"  such  that,  in  case  1,  M  is  not  a  g„ |  \ -equilibrium  in  (G,  comm), 
and  in  case  2,  _L  is  not  a  g»(n)-best  response  to  M-z  in  (G,  comm).  We  reach  a  contradiction  in 
both  cases.  I 

This  completes  the  proof  of  Theorem  4.3. 
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